Immediate Response
Do these within 24–72 hours of discovering the fraud
What It Means When the IRS Contacts You
If the IRS notifies you that a return was already filed under your Social Security Number, someone has your SSN and likely other personal data. This is called tax identity theft. The fraudster files early in the season to collect a refund before you file. The IRS will not process your legitimate return until fraud is resolved — a process that can take months. Acting fast limits the damage.
Step 2 — Request your IP PIN: Once logged in, navigate to the IP PIN section. An IP PIN is a 6-digit number that must be included on any tax return filed under your SSN. Without it, the return is rejected — which stops fraudulent filings cold. → Get your IP PIN
Important — PINs change every year: The IRS issues a new IP PIN each January. Log in to your IRS account at the start of each tax season to retrieve your current PIN before filing. Your tax preparer or software will ask for it. Treat it like a password — keep it private.
Note for iPhone/Safari users: When tapping the link above, Safari may show a prompt asking "Do you want to allow downloads from lockdownyourid.com and secure.ssa.gov?" — this is normal. It's Safari being cautious about the SSA's redirect process, not an actual file download from our site. Tap Allow to proceed to the SSA site safely.
Credit Freeze & IRS Protection
Lock your credit and shield your tax identity going forward
Credit Freeze vs. Fraud Alert
A credit freeze (also called a security freeze) restricts access to your credit report entirely. Lenders cannot pull your credit to open new accounts, stopping a fraudster from opening cards or loans in your name. A freeze is free at all three bureaus and can be lifted temporarily when you need to apply for credit yourself.
A fraud alert is weaker — it flags your file and asks lenders to verify your identity before extending credit, but it doesn't block the inquiry. Start with a freeze.
Passwords, Passkeys & Authentication
Upgrade how you authenticate — the right tools make a massive difference
Why You Need One Right Now
A password manager is an encrypted vault that generates and stores strong, unique passwords for every site you use. Humans cannot reliably remember dozens of strong passwords — so we reuse them, which is how one breach at a small website becomes a compromise of your email, bank, and everything else. A password manager solves this completely.
Reputable options: 1Password (~$2.99/mo), Bitwarden (~$1.65/mo — the most affordable paid option, open source and independently audited), Dashlane. Your device's built-in manager (Apple Keychain, Google Password Manager) is a solid free starting point if you're not ready to commit to a paid option.
Coming from LastPass? The 2022 LastPass breach — where attackers stole encrypted user vaults — damaged trust in that platform significantly within the security community. If you're still using LastPass, migrating to Bitwarden is the clear recommendation. Bitwarden has a direct LastPass importer built in: export your LastPass vault as a CSV, then go to Bitwarden's web vault → Tools → Import Data → select "LastPass (csv)" and everything transfers in one shot — passwords, URLs, usernames, notes, and folders. At ~$1.65/mo Bitwarden is significantly cheaper than LastPass and far more trusted by the security community.
Passkeys: The Future of Authentication
A passkey is a cryptographic credential that replaces your password entirely. Instead of typing a secret string, your device proves your identity using public-key cryptography — the same math that secures banks and governments. When you set up a passkey, your device creates a key pair: a private key stored securely on your device and a public key sent to the website. To log in, the site sends a challenge, your device signs it with your private key (unlocked by your face, fingerprint, or PIN), and the site verifies the signature. Your private key never leaves your device.
How to use one: When a supported site (Google, Apple, Microsoft, GitHub, PayPal) offers "Create a passkey," accept it. Your device prompts for Face ID, Touch ID, or your PIN. Next login, choose "Use passkey" instead of a password.
The multi-device reality — read this before you commit. Passkeys are more nuanced in practice than they appear on paper, and there are two real-world friction points worth understanding before you go all-in:
Problem 1 — Multiple devices don't automatically share passkeys. A passkey created on your iPhone lives in Apple's iCloud Keychain and syncs seamlessly across your other Apple devices. But if you also use a Windows PC or a non-Apple browser, that passkey isn't there. You'd either need to use your phone as a remote authenticator (scan a QR code on your PC, approve on your phone via Bluetooth proximity — it works, but it's a multi-step process), or store your passkeys in a cross-platform password manager like 1Password or Bitwarden instead of the platform keychain. If you regularly move between ecosystems — iPhone plus Windows PC, for example — plan for this before you start removing passwords.
Problem 2 — Getting a new phone can lock you out. This is the scenario that catches people most off guard. If your passkeys are stored on your phone and you get a new device, you need to transfer them before wiping the old one. With iCloud Keychain this is handled automatically during iPhone setup if you restore from a backup. With Android/Google Password Manager it syncs to your Google account. But if you factory reset your old phone first, lose it, or have it stolen, and you haven't ensured your passkeys transferred or that backup recovery codes exist — you can find yourself locked out of accounts with no obvious way back in. Always verify account recovery options before relying solely on a passkey.
The honest bottom line: Passkeys are a genuine security improvement over passwords — they're phishing-proof and eliminate the risk of your credentials being stolen in a breach. But they introduce a new category of access risk around device management. The safest approach is to keep a strong password as a fallback on any account where you set up a passkey, store passkeys in a password manager rather than a platform keychain if you use multiple device ecosystems, and never delete your password until you've confirmed the passkey works reliably across all your devices.
- Immune to phishing — key is domain-locked
- No password to steal in a breach
- Fast login with biometrics
- Works without cell service
- Blocks credential stuffing attacks
- Device-bound — getting a new phone requires careful transfer
- Cross-ecosystem use (iPhone + Windows) requires extra steps
- Losing your device without a backup can lock you out
- Not all websites support them yet
- Learning curve — especially for non-technical users
2FA Methods Ranked by Security
Two-factor authentication requires a second proof of identity beyond your password. Not all 2FA is equal:
- Best — Hardware security key (YubiKey): Physical device, phishing-proof, gold standard
- Excellent — Passkey: Cryptographic, phishing-proof, device-bound
- Good — Authenticator app (Authy, Google Authenticator): Time-based codes, resistant to automated phishing
- Acceptable — SMS text code: Vulnerable to SIM-swapping, but far better than nothing
- Avoid — Email codes: If your email is compromised, this provides no protection
Account & Device Security
Harden the accounts and devices that hold your life
What Is a SIM Swap Attack?
A SIM swap is when a fraudster contacts your mobile carrier and tricks them into transferring your phone number to a SIM card the attacker controls. Once they have your number, they receive your SMS verification codes and can use "Forgot Password" to take over your email, then cascade into every account tied to it. Protect yourself by adding a PIN or passcode to your carrier account and requiring it for any number transfers.
Ongoing Monitoring
Build habits that catch fraud early — the sooner you know, the less damage done
What Is the Dark Web and Should You Worry?
The "dark web" refers to parts of the internet not indexed by search engines, often used for buying and selling stolen data. After a breach, your credentials may appear on dark web marketplaces within hours. You can't stop your data from being posted there, but monitoring services alert you when it appears so you can change affected passwords before attackers use them.
Free monitoring: Google One and Apple iCloud+ both include dark web monitoring. Many credit cards also include it at no cost. Paid services like Identity Guard or LifeLock offer broader SSN monitoring.