Identity theft rarely starts with a hooded hacker. It starts with a breached email address you used in 2019 and a password you reused on a forgotten forum. One afternoon of cleanup closes nearly every gap.
The seven-step checklist
1) Check Have I Been Pwned for every email you use. 2) Move to a password manager — every site, unique, 20+ characters. 3) Turn on app-based 2FA (not SMS) on email, banking, and government logins. 4) Set up Singpass / national-ID login alerts. 5) Freeze your credit file if your jurisdiction supports it. 6) Audit OAuth apps connected to Google/Apple/Microsoft. 7) Rotate the email you use for finance to a private alias never shared publicly.
Why SMS 2FA is not enough
SIM-swap attacks remain trivial in most jurisdictions. App-based authenticators (Authy, 1Password, Aegis) or hardware keys (YubiKey) are required for any account holding money or your identity.
- Same password reused across sites
- SMS as the only second factor on banking
- Personal email used as login on government portals
- Old breached passwords still active on key accounts
- 1.Run Have I Been Pwned on every email and rotate any breached password.
- 2.Install a password manager today; migrate the 20 most important accounts first.
- 3.Replace SMS 2FA with app or hardware keys on email and finance.
- 4.Set up Google/Apple security checkup; revoke any OAuth app you no longer use.
Want this lesson delivered live to your team?
Tailored workshops for SMEs, families and organisations — in English or Spanish.
Book a workshop →