How to Protect Your College Student from Identity Theft on Campus

Five tips for better data and device  security habits at college

This fall, roughly 19.9 million college students will attend colleges and universities in the United States, and about 12.5 million of them will be under the age of 25. 

For many young adults, college isn’t just a transition to higher education, it’s a transition to living on their own and taking responsibility for their own finances, digital identity, credit score and banking information — all of which are critically important components of future success and security. 

As I wrote about back in 2010, College-Bound Students Are Vulnerable as Identity Theft Targets. So, parents, as you perform the ritual of shopping for dorm room supplies and stocking up on merch at the college bookstore, you should also be guiding your child through some key processes of establishing credit and safeguarding against identity theft on campus. I say guide because it’s tempting for parents to do the work themselves, but now is the time to step away from the snowplow and let your child learn to shovel their own road. In fact, it’s a good idea to start the process while your child is in high school.

Establish Credit

Educate your kids about starting to establish credit so they have it when they go to rent an apartment or buy a car. One of the simpler ways to do this is to have them apply for and use a student credit card with a small amount of credit. During this process (and any process like it), there are a series of security and privacy decisions that come into play. 

  • A great deal of personal information is collected, analyzed and sold by companies that prey upon naive college students. Make sure that, when applying, your child opts out of all information sharing possible. The minute or two spent changing the default settings (reading and unchecking the marketing and privacy boxes) will save the proliferation of their data down the road. 
  • Teach them to create a long and strong password (preferably with a password manager) that is unique on every website. 
  • Register for automatic account alerts when a sizeable amount of money is transferred, deposited or due so they have a daily view of their balances and activity. 
  • Have them turn on two-factor authentication to eliminate a majority of account takeover by cyber criminals. 
  • Teach them to monitor and reconcile their accounts monthly. 

Freeze Credit

Once your student has opened a credit card account, they should freeze their credit with the three primary credit bureaus: Equifax, Experian and TransUnion. This simple and free step is one of the greatest ways to protect their data and their future buying and credit power. 

Be Street Smart

Aside from protecting their cyber identity, students need to take precautions to protect their physical identity and important documents. 

  • Have sensitive physical documents (bank, legal, personal, FAFSA, applications, etc.) sent to a permanent address (e.g., parents’ home).
  • Leave your Social Security card, passport and other documents in a permanent, off-campus location (e.g., parents’ home in a fireproof and waterproof box or a bank safe deposit box).
  • Shred any important financial documents that come in the mail and never leave sensitive mail lying out.
  • Always lock your dorm room door and don’t leave devices unlocked or unattended in a gym locker, the library or a classroom.
  • Check for unusual devices added to ATMs that might be skimming card info.
  • Always cover the keypad with your hand when entering your PIN, whether at an ATM or a retail store.

Secure Devices

Make sure your student has long and strong passwords on their phones, tablets and laptops and that they don’t share them unless absolutely necessary. There are more than 100 privacy and security settings on the average phone; students need to take the time to customize them and lock down their data. 

Watch this video on How to Bulletproof Against a Stolen Smartphone

Here’s a detailed list of how to secure devices at college.

  • Don’t leave your laptop in an unattended car or in a public place (library, dining room, classroom).
  • Register your laptop with campus security if possible.
  • Install laptop tracking software (e.g., Find My iPhone, Lojak) and enable Find My iPhone on the device.
  • Spend time locking down the privacy and security settings on your smartphone — you won’t believe what you’re giving away for free and how damaging it can be.
  • Don’t store personal information (SSN, passwords, etc.) in unencrypted files or insecurely in the cloud.
  • Securely back up your files on a remote hard drive or a trusted cloud provider (iDrive, iCloud, Carbonite) in case your data is lost or frozen by ransomware.
  • Lock your phone screen with at least a 6-digit passcode — the longer, the safer.
  • Be mindful of malware and ransomware “updates” from untrusted sources.
  • Be suspicious of communal workstations in dorms, libraries, etc. Never log in to websites with usernames and passwords unless you’re certain the computer is secure and won’t save your information.
  • Turn on automatic computer operating systems, software and mobile app updates.
  • Encrypt your laptop (Apple: FileVault, Windows: BitLocker) and smartphone (by using a strong password).
  • Don’t take or store sensitive or embarrassing photos on your devices, as they are commonly exposed by hackers, friends or former girlfriends and boyfriends.
  • Invest in strong security software with anti-virus, spyware and ransomware protection, even if you own an Apple.
  • Don’t discard or sell old devices without professionally wiping them of all data and removing or erasing all SIM cards.
  • Don’t insert strange storage devices (i.e., USB drives) and only insert such devices from friends or administration after scanning them for viruses.

Be Social Media Smart

According to Pew Research, in 2018, 90% of adults between 18 and 24 used the YouTube app, 76% used Facebook and 75% used Instagram. Our kids are spending a lot of time on social media, and all those platforms are collecting data — and selling it to advertisers. Unfortunately, cyber criminals are also accessing that data and using it to commit crimes or simply selling it on the dark web.

The default setting on social media platforms is to share everything, so students should start by un-defaulting their privacy settings. This one action will put them in the top 1% of savvy social media users. This blog post from last year explains the 6 Ways Your Facebook Privacy Is Compromised. Beyond that, teach your child to be careful about who they friend and what they share on social media. 

You can find more tips on how you and your student can lock down social media accounts, as well as how to protect student data and devices on campus, in The Data Privacy & Security Checklist for College Students  (PDF).

As you send your child off to college this fall, arm them with the knowledge and power to keep their identity safe — in both the real world and online. Most importantly, let them know that it’s okay to ask for help from you, the university or a trusted advisor.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is an award-winning author and keynote speaker on cybersecurity, identity theft and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Is Document Shredding Still a Thing in This Digital Age?

Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents.  If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?

In case you have the same questions, here are my thoughts:

Is Identity theft via paper still an issue in this digital age?

Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).

Do people still need to shred all of their paper documents? 

The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.

Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?

For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.

The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.

In other words, how paranoid should we still be about shredding documents?

Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.

So what are the basic reasons behind document shredding?

  • Prevent identity theft
  • Protect your customers and your employees
  • It’s the law (under the Data Protection Act)
  • It saves space
  • It’s “green”! Shredded paper makes recycling much easier

What documents should you shred?

  • Medical records and bills (keep for at least a year after payment in case of disputes)
  • Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
  • Old photo IDs
  • Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
  • Credit card offers and expired credit and debit cards
  • Canceled or voided checks
  • Pay stubs
  • Copies of sales receipts
  • Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
  • Junk mail that contains personally identifying information (watch for barcodes)
  • Mail related to your children or their school

Remember, shredding isn’t only for large companies.  As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.

About Cyber Security Keynote Speaker John Sileo

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

BREACHED! Customer Data from Quest Diagnostics & Lab Corp

Within just a few days of each other, both Quest Diagnostics and Lab Corp, two of the largest blood testing providers in the nation, warned that millions of their customers might have had information breached. In both cases, customers may have had personal, financial and medical information breached due to an issue with the American Medical Collection Agency (AMCA), a billing collections service provider used by both companies.

Between August 1, 2018, and March 30, 2019, someone had unauthorized access to the systems of AMCA. Quest reported that the affected system stored information on roughly 11.9 million of its patients. In addition, LabCorp numbers could be up to 7.7 million customers.

“(The) Information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),” Quest said in a filing with securities regulators. AMCA did not have access to actual lab test results.

Change Your Behavior After the Breach

If you, like pretty much EVERYONE I know, have used either of these services, follow the steps below to protect yourself against future attacks.

  1. Assume that your identity has been compromised. If you have been a customer of either company, don’t take a chance that you are one of the very few customers that aren’t affected. It’s not time to panic; it’s time to act.
  2. Read the explanation of benefits statement from health insurers to confirm that your charges are correct.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request to place a “call-in” password on your account.
  4. Begin monitoring your bank, credit card, and credit accounts regularly.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T ONLY CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.

Take Action on Your Accounts

  1. Change your passwords. We hear all the time about stupid things people do when it comes to creating passwords; the most commonly used passwords in the United States for the past several years include “123456”, “password” and some variation like “password1234”. The bottom line is it is nearly impossible to effectively create and remember all the passwords we need to function in our daily lives. It seems there are two ways people handle this. They continue to use the same (usually poor) passwords over and over, or they do what I highly recommend and use a password manager program.
  2. Enable two-step logins. Two-step logins are when two separate passcodes are required to log in to one of your online accounts. One of the most common and popular forms is called text verification, and I’m sure you’ve already experienced it. That’s where you log in to your online account with your regular username and password, and then a secondary passcode is sent to your phone by text or even better, through an App like Google Authenticator. Without that second passcode, no one gets into the account.
  3. Set up account alerts. To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. As a result, if you spend even a dollar at a store, you receive an email or text notifying you of the purchase. If you receive an email for an amount you didn’t spend – bingo – you’re probably a victim of fraud.
  4. MOST IMPORTANTLY, FREEZE YOUR CREDIT. Some websites and cybersecurity experts will tell you to place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Learn more about freezing your credit by watching the video here.

Contact Credit Companies

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Marriott Data Breach: 500 Million Accounts Compromised

If you have stayed at one of Marriott’s Starwood hotels in the past few years, chances are you have been affected by a massive data breach that potentially exposed your personal data along with about 500 million other people. Your name, phone numbers, email addresses, passport number, date of birth, and potentially credit card numbers and expiration dates are at risk.

Marriott said in the coming weeks they will start reaching out to affected guests and has set up a website with information about the breach.

For those of you concerned about whether your information was stolen, here are a few steps you can take to protect yourself:

Change your passwords

We hear all the time about stupid things people do when it comes to creating passwords; the most commonly used passwords in the United States for the past several years include “123456”, “password” and some variation like “password1234”. People are easily tricked into giving away their passwords to the likes of Jimmy Kimmel or Ellen to our amusement. Before Sony was breached, they infamously kept their passwords in a file called “Passwords”!

The bottom line is it is nearly impossible to effectively create and remember all the passwords we need to function in our daily lives. It seems there are two ways people handle this. They continue to use the same (usually poor) passwords over and over or they do what I highly recommend and use some sort of password manager program. 

Enable two-step logins

Two-step logins are when two separate passcodes are required to log in to one of your online accounts. One of the most common and popular forms is called text verification, and I’m sure you’ve already experienced it. That’s where you log in to your online account with your regular username and password and then a secondary passcode is sent to your phone by text or even better, through an App like Google Authenticator. Without that second passcode, no one gets into the account.

Set up account alerts 

To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. If you spend even a dollar at a store, you receive an email or text notifying you of the purchase. If you receive an email for an amount you didn’t spend – bingo – you’re probably a victim of fraud.

MOST IMPORTANTLY, FREEZE YOUR CREDIT.

Some websites and cybersecurity experts will tell you to simply place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile, so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

Equifax is being overwhelmed by requests, so be patient and keep trying. Even if it doesn’t happen today, you need to Freeze Your Credit!