Organizations and individuals that have already experienced cyber crime face elevated risk of being targeted again. Use this checklist to reduce the information criminals use to impersonate you, open accounts in your name, bypass account recovery, or build believable scams.
Repeat victimization is common. In a National Institute of Justice-supported analysis of scammers’ own records, 62% of victims experienced more than one fraud incident. Data breaches, social media, public websites, and data brokers create a profile criminals use to make scams believable. A scammer does not need every detail from one source. They combine exposed emails, phone numbers, addresses, employer details, family relationships, job history, public posts, and breached passwords to sound legitimate.
1. Freeze and monitor your credit
A credit freeze helps prevent criminals from opening new credit accounts in your name.
Take these steps:
- Freeze your credit with all three major credit bureaus:
- Use a credit monitoring service to manage your credit freeze and monitor your credit file.
- Turn on alerts for:
- New credit inquiries
- New accounts
- Address changes
- Suspicious activity
- Review your credit report regularly.
Why this matters:
If your name, address, phone number, or Social Security number has been exposed, a credit freeze reduces the risk of someone opening new accounts using your identity.
2. Check whether your information has appeared in breaches
Known breaches give criminals verified information about you.
Take these steps:
- Use Have I Been Pwned to check:
- Personal email addresses
- Business email addresses
- Old or forgotten email addresses
- Sign up for breach alerts.
- Change reused passwords connected to exposed accounts.
- Treat any exposed email address as compromised for targeting purposes.
- Prioritize:
- Email accounts
- Bank accounts
- Social media
- Cloud storage
- Business tools
- Shopping accounts with saved payment methods
Why this matters:
A breached email address may be paired with old passwords, phone numbers, names, addresses, employers, or other details. Criminals use that information to build more credible scams.
3. Remove personal information from data brokers
Data brokers and people-search sites often publish home addresses, relatives, phone numbers, age, aliases, and prior locations.
Take these steps:
- Use DeleteMe for personal and organizational data removal.
- Prioritize removal of:
- Home addresses
- Personal phone numbers
- Personal email addresses
- Relatives
- Prior locations
- Age and date-of-birth clues
- Recheck exposure regularly because brokered data often reappears.
For organizations, prioritize:
- Owners
- Executives
- Finance staff
- Information technology staff
- Legal staff
- Human resources staff
- Executive assistants
- Anyone with access, approval authority, or public visibility
Why this matters:
Brokered personal data helps criminals impersonate family members, defeat weak identity checks, target executives, and make social engineering attempts sound personal.
4. Limit or delete social media
Social media gives criminals timing, emotion, relationships, habits, and context.
Take these steps:
- Delete accounts that are not necessary.
- Limit LinkedIn exposure where possible.
- Remove or restrict:
- Personal phone numbers
- Family details
- Travel plans
- Children’s activities
- Job-change details
- Workplace frustrations
- Personal milestones
- Health or family stressors
- Do not post screenshots showing:
- Emails
- Calendars
- Badges
- Dashboards
- Internal tools
- Documents
- Customer or vendor names
- Hide friend lists, follower lists, and personal contact details.
If social media is necessary for business:
- Keep private accounts under aliases.
- Do not reuse profile photos across professional and private accounts.
- Do not reuse usernames across platforms.
- Do not connect private accounts to business profiles.
- Do not use the same phone number or email address for private and professional accounts.
Why this matters:
Breached data tells criminals who you are. Social media tells them what matters to you and when to contact you.
5. Treat social media messages and emails as untrusted
A message is not safe because it arrives through a familiar platform.
Treat unexpected messages as suspicious when they come through:
- Text message
- X
- Signal
- Telegram
- Other messaging apps
Be especially cautious with:
- Recruiter messages
- Vendor outreach
- Media requests
- Investor interest
- Event invitations
- Refund notices
- Account alerts
- Urgent family or friend requests
- Requests to move to another platform
Do not:
- Click unexpected links.
- Open unexpected attachments.
- Call phone numbers sent in unexpected messages.
- Share verification codes.
- Share passwords.
- Share banking details.
- Provide personal information through messages.
Instead:
Verify through a separate trusted channel, such as a known phone number, official website, or direct contact already saved in your records.
Why this matters:
A real detail in a message is not proof the message is legitimate. It may be proof your information was exposed.
6. Treat published information as compromised
If it is public, assume criminals have it.
Review and reduce exposure on:
- Personal websites
- Business websites
- Staff pages
- Executive bios
- Old resumes
- Conference pages
- Podcast pages
- Press releases
- Public filings
- PDFs
- Nonprofit pages
- Vendor pages
- Online directories
Remove unnecessary:
- Direct emails
- Personal phone numbers
- Mailing addresses
- Home addresses
- Tax identification numbers
- Nonprofit identification numbers
- Detailed biographies
- Family references
- Internal role details
Replace where possible with:
- Controlled intake forms
- Shared inboxes
- Published business numbers
- Limited bios
- Role-based contact options
Why this matters:
Published information becomes adversary source material. A public email address may receive phishing. A public phone number may receive scam calls. A detailed bio may support impersonation.
7. Search yourself like an attacker
You cannot reduce exposure you have not seen.
Search for:
- Your name
- Business name
- Email addresses
- Phone numbers
- Home address
- Usernames
- Old usernames
- Key employees
- Executives
- Family members connected to public records
Search combinations such as:
- Your name + employer
- Your name + phone number
- Your name + address
- Your name + family member
- Your name + LinkedIn
- Business name + staff
- Business name + vendors
- Business name + payments
- Business name + grants
- Business name + contracts
- Business name + donations
Use ChatGPT carefully:
Ask it to summarize what an attacker could infer from public information you provide or locate yourself. Do not paste sensitive private information into any tool unless you understand the privacy implications.
Why this matters:
The goal is not curiosity. The goal is to see what an attacker sees.
8. Strengthen account security
Exposure reduction should be paired with stronger account protection.
Take these steps:
- Use base passwords you can remember like “Cr@3y” and for each new account leverage a base password plus the unique combination or pattern of characters for the new account.
- I do not recommend password managers because it adds additional exposure and possible avenues for breaches of your most sensitive information. If you must write down passwords go old school and use pen and paper and if possible a locking file cabinet.
- Turn on multi-factor authentication wherever available.
Multi-factor authentication means the account requires more than a password.
Examples include:
- A passkey
- A hardware security key
- A code from an authentication app
- A text message code
Use the strongest option available:
- Best: passkeys or hardware security keys
- Strong: authentication apps such as Microsoft Authenticator, Google Authenticator, Duo, 1Password, or similar tools
- Better than nothing: text message codes
Never read, send, or repeat a multi-factor authentication code to anyone.
Also review:
- Backup email addresses
- Recovery phone numbers
- Trusted devices
- Connected apps
- Old devices
- Email forwarding rules
Why this matters:
If criminals control your email, they may control the password reset path for many other accounts.
9. Monitor for misuse
Early detection reduces damage.
Turn on alerts for:
- Bank transactions
- Credit card purchases
- New credit inquiries
- New logins
- Password changes
- Multi-factor authentication changes
- New devices
- Changed phone numbers
- Changed email addresses
- Changed payment methods
- Bank account or payout changes
Watch for:
- Password reset emails you did not request
- Login alerts from unfamiliar locations
- New devices added to accounts
- Fake social media profiles using your name or photos
- Messages referencing real personal details
- Unexpected calls claiming to be from banks, platforms, vendors, or support teams
Why this matters:
Social engineering often starts small. A strange login notice, a password reset email, or a realistic support message may be the first visible sign of misuse.
10. Build a verification habit
Criminals use emotion to compress judgment. Verification creates distance.
Pause when a message creates:
- Fear
- Urgency
- Excitement
- Curiosity
- Embarrassment
- Obligation
- Secrecy
- Pressure to act quickly
Ask:
- What action is this message trying to get me to take?
- What information is being requested?
- What happens if I slow down?
- Could this be verified another way?
- Am I being moved to a different channel?
- Is this person using authority, familiarity, or urgency to bypass normal process?
Verify by:
- Going directly to the official website or app
- Calling a known phone number
- Contacting the person through a trusted channel
- Confirming financial, legal, employment, vendor, or account recovery requests out of band
Why this matters:
Attackers do not need you to be careless. They need you to act before verifying.
Example: What exposure enables
A criminal finds your email address in a breach. A people-search site lists your phone number and home address. LinkedIn shows your employer, job title, and recent conference attendance. Your company website lists your direct email and bio.
That criminal can now send a message that references real details:
“Hi, I’m following up from the training platform your team uses. We noticed unusual activity tied to your work email after your recent course registration. Please call support to verify your account before access is suspended.”
The message works because it contains enough truth to feel legitimate.
Bottom line
Your exposed information is not just a privacy issue. It is targeting material.
Freeze and monitor your credit through Experian. Check breach exposure through Have I Been Pwned. Remove brokered personal data through DeleteMe. Limit or delete social media, including LinkedIn where possible. Keep private accounts under aliases. Treat email, text, and social media messages as untrusted until independently verified. Review every public website, profile, document, staff page, and contact listing as if an attacker will use it.
Have you taken any of these steps after a scam, breach, or impersonation attempt? Share this checklist with someone who would benefit from it, or contact Countervail if you need a deeper review of personal or organizational exposure.