Identity thieves have a lot of opportunities to grab your info and wreak havoc.

This raises the perennial question: How can a regular person, who owns a cellphone or a computer and uses the internet to shop, pay bills online or to trade messages with friends and family, safeguard his or her identity data?

Eva Velasquez, the CEO of the Identity Theft Resource Center, a nonprofit based in San Diego that focuses on cybersecurity education, research and victim support, shared a few strategies that may not yet be second nature — but should.

Velasquez shared several pointers. But before — and also after — sharing pointers, she acknowledged how exhausting it is for people to have to constantly be vigilant.

But unsolicited incoming communications are so often scams that they’re not even worth spending energy on and evaluating. They can usually just be ignored, she said.

She also offered this overarching insight: Because it is so exhausting, and scams and identity crimes aren’t going anywhere, cybersecurity isn’t just one thing. It’s a practice.

“It’s sort of like your regular hygiene,” she said. “You don’t just do one thing. You don’t just go, OK, today I’m going to brush my teeth, but I won’t do anything else. You go, OK, I’m going to wash my face and brush my hair, maybe take a shower, brush my teeth, you know, put on deodorant, all of those things, and they add up to something finished. It’s the same thing with your identity and your behavior online. You can do a lot of little things that will add up to a big reward, because it’s reducing your overall risk surface. That would be my message to folks.”

Velasquez worked for decades in law enforcement — probing identity crimes for the San Diego County District Attorney’s office.

She left that job and, after helping lead the San Diego Better Business Bureau, joined this nonprofit as its CEO.

“I used to investigate these types of cases, and I felt that we while we were doing a decent job of putting the criminals that we could catch in jail and stopping them from harming other people, we did not have enough resources to provide the proper support for this victim population,” she said. “I want to live in a world where we don’t dismiss this victim population as being not important. This can be a really devastating experience for people, and we need to treat it as such.”

Here are three things she recommends adding to your cybersafety routine:

If you didn’t initiate, don’t take the bait

Velasquez’s first recommendation is to beware of absolutely ever contact coming your way in a conversation you didn’t initially initiate. Anytime someone pops into your inbox, be skeptical. No matter who the message claims to be from.

“I want people to be very, very leery, especially of incoming communication,” she said. “Consumers are just being deluged with all of this misinformation, and imposter scams, and romance scams and their identity credentials being breached.”

Whether it comes in the form of a phone call, an email, a text message, “a letter in the mail, carrier pigeon, if you didn’t initiate the contact, go to the source and verify.”

Passkeys: new and easy

“The newest thing that we really want consumers to be curious about and hopefully embrace are passkeys,” Velasquez said.

What’s a passkey? It is a way to log into an account that is not a password.

Apple’s website describes it as a “replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets.”

Velasquez said that surveys show passkeys have good adoption because they are easy to use. One thing to look out for, Velasquez added: a passkey “must be offered by the entity that you’re that you’re signing in to.”

Biometrics, with an asterisk

Biometrics, a tool that uses a person’s physical or biological characteristics to verify identity, leave some people feeling cagey. The Federal Trade Commission has warned consumers that biometric information can be misused.

“In recent years, biometric surveillance has grown more sophisticated and pervasive, posing new threats to privacy and civil rights,” Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, said in 2023.

But, used as one more layer of ID verification in combination with others, they can add valuable protection, Velasquez said.

“You can use a biometric to prove that you are who you say you are when you’re trying to conduct a transaction,” Velasquez said.

“In addition to things like your Social Security number, driver’s license number, passport number, date of birth, mother’s maiden name, all of those standard things that you need to conduct a transaction and prove you are who you say you are, adding a biometric is just one more layer, and it’s very easy for people to do because you can’t forget it. It’s not a secret. My face isn’t a secret. I wear it outside every day,” she said.

Apple’s use of Face ID, which lets people log into accounts and pay for purchases using recognition of the account owner’s face, has helped normalize biometrics, she added.

“I think people are more willing to see the the utility of it, and that it’s not a scary thing,” she said.

The ITRC published a policy paper last year about biometrics that talked about best practices and distinctions between biometrics used for surveillance without the person’s knowledge, and biometrics used through “a consent based process.”

Organizations that use facial verification should store data for a limited time, encrypt data and only use the data in the way the subject gave consent, the paper says.

Reminder: 3 best practices

Velasquez closed with a reminder about the trite, tried and true advice people often hear. The top three are using two-factor authentication, freezing credit, and not copy and pasting the same passwords across accounts.

“We’ve said it a million times, but until we get 100% adoption, you know, we still have to remind people about those,” she said.

©2025 The San Diego Union-Tribune. Visit sandiegouniontribune.com. Distributed by Tribune Content Agency, LLC.