by The Computing Australia Group | 10 Practical Steps to
Stay Safe Online
Identity theft isn’t just a “someone stole my credit card” problem anymore. Today, cybercriminals can stitch together your identity from dozens of small data points—an old password from a past breach, your mobile number from a leaked database, a photo of your driver’s licence you sent to “verify” an account, or even the oversharing that happens on social media without anyone noticing.
As more everyday tasks move online—banking, shopping, government services, healthcare portals, school accounts, and work tools—the amount of personal information tied to your digital life grows. That convenience is great… until someone else tries to use it.
This guide explains what identity theft is, how it happens in the real world, and the most effective ways to reduce your risk. It also includes a practical response plan (because prevention is ideal, but preparation is powerful).
What is identity theft?
Identity theft happens when someone uses your personal information without permission to impersonate you, gain financial benefits, commit fraud, or perform illegal activities. It might look like:
- Opening loans, credit cards, or “buy now pay later” accounts in your name
- Taking over your email or social media accounts
- Accessing government services (e.g., myGov-linked services)
- Using your identity to rent property, buy mobile plans, or commit crimes
- Redirecting your tax return or changing payment details
- Scamming others by pretending to be you
Identity crime can be quick and obvious (a large fraudulent purchase), or slow and quiet (small test transactions, a new service opened, or a password changed you didn’t notice).
If you want an Australian-government starting point for what to do when identity theft or a data breach happens, myGov’s recovery guidance and cyber.gov.au’s identity theft recovery pages are solid references.
How identity theft happens today
Cybercriminals usually don’t “hack you” in a dramatic movie-style way. In practice, identity theft is typically enabled by one (or more) of these situations:
1) Data breaches (your information leaks without your fault)
2) Phishing and impersonation (you’re tricked into handing it over)
Phishing emails, fake login pages, SMS “security alerts,” calls pretending to be banks or government agencies—these are designed to create urgency so you act before thinking.
Australia’s ACCC Scamwatch and the ACCC scams guidance explain how scams attempt to steal personal information for fraud and identity theft.
3) Credential stuffing (reused passwords are tested everywhere)
If you reuse passwords, a breach on one site can lead to account takeovers on others. Attackers use automation to try leaked username/password combos at scale.
4) Malware, fake apps, and risky downloads
Malicious apps or software “clones” can steal keystrokes, harvest data, or hijack sessions—especially if installed from untrusted sources.
5) SIM swapping and number hijacking
If attackers can take over your mobile number, they may intercept SMS-based login codes or password resets. This is one reason security teams prefer app-based authenticators or hardware security keys over SMS where possible.
What information do criminals actually want?
Not every piece of personal information is equally valuable. High-risk data includes:
- Email address + password (especially if reused)
- Mobile number (useful for scams, SIM swap attempts, and account recovery abuse)
- Government IDs (driver licence, passport, Medicare)
- Date of birth + address (commonly used for verification)
- Bank details, card numbers, PayPal logins
- myGov or tax account access
- Copies/photos of identity documents
The goal is often account takeover (email is the biggest prize), because once someone controls your email they can reset passwords for many other services.
Ways to prevent identity theft (updated, practical strategy)
Below are the most effective controls—prioritised by impact.
1) Secure your devices like they’re wallets
Your phone and laptop hold your life: saved passwords, banking apps, emails, identity photos, and authentication codes.
Do this:
- Use a strong device passcode (avoid 4-digit PINs if you can—use a longer PIN or passphrase)
- Enable biometric unlock plus a strong fallback passcode
- Turn on automatic updates for your operating system and apps
- Enable device encryption (modern iOS/Android and current desktop OSs do this by default when a passcode is set)
- Turn on “Find My device” features so you can locate/lock/wipe if lost
Extra protection: keep your lock screen notifications limited (so one-time codes or sensitive previews don’t show when your phone is locked).
2) Use a password manager and stop reusing passwords
Strong passwords aren’t just “complex”—they need to be:
- Unique for every account
- Long enough to resist guessing and cracking
- Random (not patterns or substitutions like P@ssw0rd!)
A password manager helps you create and store unique passwords without relying on memory.
Modern best practice: Don’t rotate passwords on a schedule unless there’s a reason. NIST’s Digital Identity Guidelines recommend focusing on length, screening for compromised passwords, and changing passwords when compromise is suspected—not arbitrary periodic resets.
What to do in real life:
- Pick a strong, memorable master passphrase
- Store recovery codes safely (offline)
- Replace your most important passwords first: email, banking, myGov, Apple/Google accounts, password manager itself
3) Turn on MFA everywhere—prefer phishing-resistant options
Multi-factor authentication (MFA) adds a second proof beyond your password. Even if someone steals your password, MFA can stop the login.
The Australian Cyber Security Centre (ACSC) strongly recommends MFA as a key protective control.
Best → okay options (roughly):
1. Security keys (hardware keys; highly phishing-resistant)
2. Passkeys (where supported—very strong, user-friendly)
3. Authenticator app codes (time-based codes or push approvals)
4. SMS codes (better than nothing, but weaker than the above)
Where to enable MFA first:
- Email accounts (critical)
- Banking and payments
- myGov and any linked services
- Social media (prevents impersonation)
- Cloud storage (Google Drive, OneDrive, iCloud)
- Business tools (Microsoft 365, Google Workspace)
4) Be ruthless about links, attachments, and “urgent” messages
This is where most identity theft starts.
Safer habits:
- Don’t click login links from emails/SMS—navigate using a bookmark or official app instead
- Treat unexpected attachments as suspicious (even if they look like invoices)
- If a message creates urgency (“account locked,” “refund waiting,” “final warning”), pause
- Verify using a second channel (call the official number on the company website—not the number in the message)
- Cloud storage (Google Drive, OneDrive, iCloud)
- Business tools (Microsoft 365, Google Workspace)
If you’re unsure about a link on desktop, hovering to preview the URL can help—but note that modern phishing can still look convincing. The safest approach is: don’t use embedded links for logins.
5) Download apps and software only from trusted sources
Criminals clone apps that look legitimate, then use them to steal login details.
Do this:
- Use official app stores (Apple App Store / Google Play) and reputable vendor websites
- Read reviews, check downloads, verify the developer name
- Review app permissions—deny anything unnecessary (contacts, SMS access, accessibility access, device admin privileges, etc.)
6) Keep antivirus/anti-malware and browser protection up to date
- fake “software updates”
- browser extensions
- pirated software
- shady PDF/ZIP downloads
7) Use public Wi-Fi carefully (and understand what a VPN does—and doesn’t)
A VPN can protect your traffic on untrusted networks and reduce some forms of tracking. But a VPN does not:
- stop phishing
- “make you anonymous”
- protect you if you type your password into a fake site
- clean malware off your device
Use a VPN as a privacy and network-safety tool, not an identity theft shield. Your biggest wins still come from MFA, password hygiene, and scam detection.
8) Lock down social media (oversharing fuels targeted fraud)
Criminals use social media to answer common “verification” questions and craft convincing impersonation scams.
Reduce your exposure:
- Hide birth date, address, workplace details where possible
- Avoid posting ID documents, boarding passes, bills, or “new phone number” updates
- Be careful with “first pet / first school / mother’s maiden name” style posts (these mirror security questions)
Consider switching accounts to private and reviewing follower lists—especially on platforms where you accept unknown requests.
9) Turn on banking alerts and monitor transactions
Real-time alerts shorten the time between compromise and action.
Enable notifications for:
- card-not-present transactions
- large purchases
- new payees
- password changes
- logins from new devices
Even if a transaction is small, it may be a “test” charge.
10) Protect your credit file (Australia: consider a credit ban if needed)
If you believe you’re at risk—or if your identity information has been exposed—placing a credit report ban can help stop new credit being opened in your name.
Equifax describes credit report bans/freezes and how they prevent credit providers from accessing your report without permission.
IDCARE also provides guidance on credit bans in Australia.
A simple “identity theft prevention checklist”
If you do nothing else, do these 8 things:
1. Enable MFA on email + banking + myGov (use authenticator app or passkeys if available)/p>
2. Use a password manager and make passwords unique
3. Update phone/laptop automatically
4. Stop clicking login links from messages—use bookmarks/apps instead
5. Review social privacy settings and remove public DOB/address
6. Turn on transaction and login alerts
7. Store recovery codes offline (not in email)
8. Know where to get help fast (IDCARE + cyber.gov.au + your bank)
What to do if you suspect identity theft (response plan)
Speed matters. Here’s a practical order of operations.
Step 1: Secure your “core” accounts immediately
- Change your email password
- Enable/upgrade MFA (prefer authenticator/passkeys/security keys)
- Check email forwarding rules and “recovery email/phone” settings
- Sign out other sessions/devices where possible
- Turn on “Find My device” features so you can locate/lock/wipe if lost
Step 2: Contact your bank and payment providers
- Report suspicious transactions
- Ask about card replacement and charge disputes
- Consider temporary account holds if takeover is suspected
Step 3: Get tailored help (Australia)
IDCARE is Australia and New Zealand’s national identity and cyber support service, and is referenced by Australian Government guidance as a key support pathway.
Step 4: Report it
Depending on the situation:
- Report scams via Scamwatch/ACCC guidance
- Use cyber.gov.au’s identity theft recovery guidance
Step 5: Protect your credit
- Request your credit report
- Dispute unfamiliar listings
- Consider a credit ban if appropriate
Step 6: If government services are involved (myGov/ATO, etc.)
myGov provides guidance on scams and recovery pathways, and the ATO also provides specific identity theft help guidance.
As technology becomes savvy, so do cybercriminals. It is vital to follow safe internet practices to protect yourself from identity theft. Keep yourself in the know. Contact our team or email us at cybersecurity@computingaustralia.group to learn more about identity theft or other cybersecurity subjects. Our cybersecurity team is 24/7 at your service.
Jargon Buster
Phishing – a fraudulent attempt where the attacker impersonates as a trustworthy entity to obtain sensitive information via digital communication.
VPN – Virtual Private Network is an encrypted connection across a public network that provides online anonymity.
Antivirus – is a program that helps a device prevent, detect, and remove malware.
MFA – Multi-Factor Authenticator- an authentication method that requires the user to provide two or more verification factors to gain access to their data.
Blake Parry
FAQ
Is MFA really worth it?
Yes. MFA is one of the highest-impact controls you can enable, and is strongly promoted by the ACSC.
Should I use a VPN to prevent identity theft?
A VPN can help on untrusted networks and for privacy, but it won’t stop phishing or account takeover if you share credentials with a fake site.
How often should I change my passwords?
Focus on unique, long passwords and change them when compromise is suspected. Modern guidance (including NIST) generally discourages forced periodic resets without cause.
What’s the first account I should protect?
Your email account. It’s the password reset gateway for many other services.
What are the most common signs of identity theft?
Unexpected password reset/MFA codes, unfamiliar bank transactions, being locked out of accounts, new credit enquiries, debts you don’t recognise, or your phone losing service unexpectedly (possible SIM swap). If you notice these, secure your email first, then contact your bank and check your credit report.
