Hero Images | Getty Images

The building blocks for identify theft are for sale on the dark web, a hidden part of the internet that people access through special browsers such as Tor, I2p and Freenet. Once there, scammers find their way to anonymous message boards, and markets for drugs, stolen financial data and other personal valuable information. Almost everything’s for sale, and purchases are usually made with bitcoin, since the cryptocurrency is difficult to trace. You can get checking account information and stolen Social Security numbers. Even people’s medical records can be purchased for anywhere from a dollar to $60, depending on the amount of information you're seeking. Why medical records? For starters, complete medical records generally contain a complete identity: name, date of birth, Social Security number and medical information. A detailed record can then be used to establish a fake identity, open a credit account, or it can be used to bill fraudulently for medical procedures, according to MIB Group, a nonprofit organization that offers underwriting services to insurance companies.

Guarding against identify theft starts with scanning the horizon for red flags. Be careful about your passwords. They should be easy for you to remember, and not contain personal information, although the admonition to change passwords is open to debate. You may want to keep your current passwords unless you suspect your information has been breached. “It turns out that changing passwords frequently can actually just give cyber criminals a glimpse at potential patterns in your passwords, allowing them to crack them more quickly,” says Brian Stack, vice president of dark web intelligence at Experian, a credit-scoring company. Don't use public computers for sensitive or financial transactions. Whenever possible, use two-factor authorization, which makes it harder for anyone else to log into your accounts, said the Trusted Identities Group, a division of the National Institute of Standards and Technology.

Double protection

“Your information is safer because thieves would need to steal both your password and your phone,” the Trusted Identities Group says on its website. You’d definitely notice and report a missing phone before someone else could use your credentials. More from Personal Finance





“Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your credentials,” the Trusted Identities Group says. Suspicious activity can be a shady email — check the underlying address to verify it really is from the company claiming to contact you — or odd activity on any of your accounts. Monitor your bank accounts and your social accounts for unusual activity or posts.