America is back on the road, and if you stay in a hotel, today’s story may save you thousands of dollars as we look at something few travelers have heard of: Innkeepers Laws. Intended to protect hotels, they can cause guests more grief than one can imagine.

Let’s take California’s Innkeepers law — on the books since 1872 — which permitted Marriott, the world’s largest hotel chain, to engage in conduct that I can only describe as morally reprehensible, in effect validating a shocking rip-off of one of their guests enabled by a hotel employee.

Marriott’s mission statement is “to enhance the lives of our customers by creating and enabling unsurpassed vacation and leisure experiences.”

“And they sure did last year for Bob Sabouni, who checked into the San Francisco Marriott Marquis. His brief stay became an egregious example of a hotel using a grossly outdated statute to pour salt onto a wound of a guest – that they caused, ” observes Santa Monica, Calif.-based attorney and public relations consultant Nicole Wool, who has been closely following this case.

“What happened to Bob was so unfair, so unconscionable and shocking. Judging by comments posted online following television network news stories that went viral, this incident is not currying much favor with the public, and understandably so,” she notes.

Checked In But Room Not Ready

Based on court records and police reports, the facts of this case are not in dispute. In June of 2021 Sabouni and his friends chose the Marriott Marquis in San Francisco to attend a Giants game. Checking in, they were told their room wasn’t ready, so, the hotel valet held their luggage, giving them each a claim check.

Returning after the game, “Everyone’s bags were there but mine,” Bob said, according to news reports.

So, how could this have happened?

That afternoon, according to the judgement by San Francisco Superior Court Judge Jeffrey S. Ross, recorded on Marriott’s surveillance equipment, a man walked into the hotel saying that he checked his baggage but lost his claim check.

“Remarkably, without seeking any identification, a Marriott employee invited the man into the baggage room and allowed him to select the baggage he claimed to have checked,” the judgment states. “Sadly for Sabouni, Marriott gave the man all Sabouni’s possessions, including: a Briggs & Riley rollaway bag, a Tumi leather backpack, an iPad Pro, a MacBook Pro, a 4 TB hard drive, clothing, toiletries and personal items, which Sabouni values at $8,194.79.”

Marriott Initially Promised to Fully Reimburse Bob

“Discovering their negligence, the hotel staff initially promised to reimburse Bob, but then they refused. He went to small claims court, and obtained a judgment,” of $5,000, Wool notes, adding, “But instead of abiding by the court’s decision, Marriott’s attorney, Maria Lampasona, a partner with a major San Francisco law firm, filed an appeal!”

Judge Ross’ scathing opinion stated, “Rather than compensating its guest for a loss solely attributable to Marriott’s conduct, it relies on (an 1872 Innkeepers Law in the California Civil Code) section 1859 and contends its exposure should be limited to $500. Section 1859’s limit of liability has not been revised to accord with the current value of luggage, clothing and most notably computer equipment and its data.

“One might expect Marriott to recognize the aberration and, in the interest of customer relations, to pay the judgment. Instead, Marriott appealed.”

Judge Ross went on to state, “This is one of the rare instances where the law does not allow the court to achieve the equitable result as it must apply section 1859.”

The judge was able to increase the award to $1,553, still far lower than the approximately $9,000 loss Bob experienced.

Right and Wrong, Fairness, Morality and Marriott’s Lawyers

As the story went viral, many readers emailed and phoned, upset, asking:

“Even if this out-of-date law is still on the books, how could Marriott’s lawyer do this to their totally innocent guest? Didn’t anyone see the public relations fiasco this would create? How could they so easily ignore fundamental, right-and-wrong morality? Is this what they teach you in law school?”

Southern California employment law attorney Jay Rosenlieb, wrote:

“Appealing this case by relying on a statute from the 1800s was a boneheaded business decision and a public relations disaster.

“Lawyers must counsel clients regarding the consequences of strategies being considered. In this case, did their attorney warn them enforcing a statute from the 1800s is likely to trigger tremendous adverse publicity? Did she say, ‘Merely because you can use this archaic statute to save a few dollars does not mean you should!’

“Just because a lawyer can do something does not mean that it is the right thing to do – often, it is plain wrong!”

Hanford, Calif., business attorney Ron Jones offered these thoughts:

“Marriott spent substantial dollars on attorney’s fees on appeal so as not to pay out a small claims judgment, trampling common sense and fairness. ‘Do unto others ...’ The rules are there, easy to understand and to follow. Unfortunately, too many people don’t! Too many lawyers don’t.”

One reader phoned me, saying, “I was in Maria’s law school class and remember this message from our professors: Seek fairness, a just result, stand up to clients who ask you to use your skills to achieve patently wrong, unfair results. Remember the legacy of Nuremberg.”

Fresno-based Neil Williams, retired publisher of the Hanford Sentinel, wrote:

“The issue was obvious: Do the right and moral thing for your customer. Marriott’s attorney could have been the ‘hero’ by taking the lead in addressing such an outdated law and even seeing changes made to correct an obvious flaw on behalf of her client.”

The Bottom Line: Recommendations for Hotel Guests

Losses such as Bob’s are generally covered under homeowners and renters insurance — but a claim might trigger a premium increase. If you do have to file a claim, here’s a tip: While it is an extra step, insurance claims representatives recommend that when packing your luggage, take photos or a video to prove the contents.

And be extra cautious. When you’re on a trip, leave any valuables at home that you can. In other words, only pack what you can afford to lose.

I asked Marriott, their attorney and her senior partner for comment on the situation. So far, nothing.

This article was written by and presents the views of our contributing adviser, not the Kiplinger editorial staff. You can check adviser records with the SEC or with FINRA.

Americans and their global counterparts are getting ready to enjoy a more open world in 2022 – good news for travel stocks.

According to the Centers for Disease Control and Prevention, the seven-day average of COVID-19 cases in the U.S. is at its lowest level since last summer.

"After more than a year of waiting, travel stocks may finally be recovering," says David Russell, vice president of Market Intelligence at online trading platform TradeStation. "The reason for the growth in the industry is credited primarily to the decreasing COVID-19 cases due to vaccines developed in late 2020. Consumers are eager to travel again, which has cued investors to begin to reaccumulate travel stocks, bolstering the market."

Additionally, in its 2022 outlook, Expedia Group, in collaboration with Wakefield Research, surveyed 5,500 individuals from across the globe – including the U.S., U.K. and Canada. Of those surveyed, 81% said they plan to take at least one vacation with family and friends over the first half of 2022. And more than half of respondents said they will spend more on travel than they did pre-pandemic.

"Travel is about to experience a year unlike ever before as people plan purpose-driven trips, value vacation time more, and up their investment in unique experiences," says Ariane Gorin, president of Expedia for Business.

With that in mind, here are seven travel stocks that will benefit from consumers' pent-up demand for vacation. This list covers a variety of travel-related industries, including hotel stocks, airlines and entertainment. But all the names featured here have at least one thing in common: They are top-rated among Wall Street pros.

Data is as of April 3. Analysts' opinions courtesy of S&P Global Market Intelligence. Stocks are listed by analysts' consensus recommendation, from lowest to highest.

• Industry: Lodging
• Market value: $56.8 billion
• Analysts' consensus recommendation: 2.41 (Buy)

Marriott International (MAR, $173.68) was busy adding to and building its worldwide pipeline of hotel rooms over the past year. In 2021, the operator of 30 hotel and lodging brands signed 599 agreements to build 92,000 future rooms, more than half outside the U.S. and Canada.

With 2021's signings, Marriott now has 495,000 rooms under development worldwide. That adds to its existing footprint of 1.48 million rooms at almost 8,000 properties in 139 countries. Despite hurdles faced by the pandemic, MAR was able to open an additional 86,000 rooms last year, 3.9% higher than in 2020.

Marriott has three key growth areas: Luxury travel, leisure travel and branded residential.

Of the three, luxury appears ready to take off in 2022. Marriott is set to launch more than 30 luxury hotels this year under its St. Regis, W Hotels, Ritz-Carlton, JW Marriott and more to meet the demand. In total, the company has seven luxury brands associated with 476 hotels.

The luxury segment provides the company with higher fees than its moderate banners. For this reason, it has almost 50,000 hotel rooms in its luxury pipeline.

In 2021, Marriott's revenue per available room (RevPAR) in its U.S. and Canadian luxury hotels was $190.53, nearly double what it was in 2020. In addition, the average daily rate at these hotels was $393.72, 12.9% higher year-over-year.

Overall, Marriott had gross fee revenues of $2.7 billion for all of 2021, 60% higher than the year earlier. These improvements translated into an adjusted net income of $1.1 billion, a considerable improvement over the $267 million loss it incurred in 2020.

While COVID-19 variants may do their best to slow reopenings, the writing is on the wall. And travel stocks like MAR will benefit in 2022 from a return to a more normal hospitality industry.

• Industry: Travel services
• Market value: $111.3 billion
• Analysts' consensus recommendation: 2.39 (Buy)

Airbnb (ABNB, $173.07) CEO Brian Chesky announced on Twitter in mid-January that he would be working remotely in Atlanta and other cities throughout 2022 to better understand the Live Anywhere trend that's exploding worldwide. So, each week he's working in a town away from ABNB's home office in San Francisco and living on Airbnb.

In Chesky's tweet, he noted several statistics driving the Live Anywhere phenomenon, including the fact that between July and September of last year, 20% of gross nights booked were for stays of 28 days or longer. And more than 100,000 people booked stays of at least three months in the 12 months through September.

People aren't just staying in big cities or resort towns, they're also staying in rural areas. According to Airbnb, in Q3 2021, domestic nights booked by U.S. guests for rural stays increased 85% over Q3 2019.

The digital nomad visa has become a thing too. So you want to work in Croatia, it's no problem. There are now approximately 41 countries offering this new type of visa.

Naturally, Chesky is very optimistic about his company's future – and for good reason. In 2021, ABNB brought in $47 billion in gross bookings volume (GBV), nearly double what it did in 2020 and 23% higher than in 2019. Additionally, adjusted EBITDA (earnings before interest, taxes, depreciation and amortization) margin in the previous fiscal year was 27%, compared to an adjusted EBITDA margin of -5% in 2019.

And ABNB ended last year with $8.3 billion in cash, cash equivalents, marketable securities and restricted cash, while holding $3.7 billion in funds on behalf of guests.

The company admitted in its Q4 shareholder report that it's "challenging" to give guidance too far out due to COVID-19-related uncertainties. Still, Airbnb says it is "encouraged" by what it's seeing for 2022 travel trends, including lead times for first-quarter bookings in the U.S. and Europe exceeding those seen in Q1 2019.

Based on a price-to-sales ratio of 13.1x its 2022 estimate, its valuation is the cheapest it's been since going public in December 2020.

• Industry: Travel services
• Market value: $21.3 billion
• Analysts' consensus recommendation: 2.39 (Buy)

Cruise operators were arguably among the hardest-hit travel stocks during the pandemic. Case in point: Royal Caribbean Cruises (RCL, $83.66). The company has $11 billion in revenue in 2019. In 2020, that figure had tumbled to $2.2 billion, and fell even further – to $1.5 billion – in 2021.

But analysts' expectations are for a big recovery over the next two years. Consensus estimates are for fiscal 2022 revenue to hit $9.3 billion, and rise to $12.6 billion in 2023.

"We view cruise lines as one of the few remaining recovery stories in consumer, offering high operating leverage that should become a tailwind into 2023 as business returns to normal," says Wells Fargo analyst Daniel Politzer.

While the analyst believes near-term performance hinges on progress toward resuming operations as well as volatility sparked by geopolitical risks and rising fuel prices, "the bull thesis remains intact for cruise penetration to grow over time, with North America the most mature market." Politzer has an Outperform rating on RCL, which is the equivalent of Buy.

Royal Caribbean is upbeat about its future too. While CEO Jason Liberty – who took the reins from long-time leader Richard Fain in early January – said the omicron variant " was particularly unfortunate for the first half of 2022 bookings and will likely delay our return to profitability by a few months," it will not impact RCL's overall recovery.

Liberty also says he expects 2022 will be "a strong transitional year."

• Industry: Rental & leasing services
• Market value: $9.1 billion
• Analysts' consensus recommendation: 2.00 (Buy)

Heading into the new year, Barron's said it expects rental car companies to be among the best travel stocks in 2022 due to ongoing vehicle shortages that have created a higher-pricing environment. The financial publication tapped Hertz Global Holdings (HTZ, $21.12) as a top stock pick.

Many on Wall Street share in this optimism. Of the nine analysts following the stock tracked by S&P Global Market Intelligence, three say it's a Strong Buy, three call it a Buy and three have it at Hold. What's more, HTZ was a top stock pick among billionaire investors in the fourth quarter.

"Hertz is an industry leader in the rental vehicle market," says Oppenheimer analyst Ian Zaffino (Outperform). "It has a strong balance sheet, a significantly optimized cost structure, and impressive partnerships with Uber (UBER), Tesla (TSLA) and Carvana (CVNA)."

In HTZ's most recent earnings report, the company reported higher-than-expected fourth-quarter adjusted EBITDA of $628 million and revenues of $1.9 billion. The company also said it ended 2021 with $3.2 billion in liquidity – a figure that includes $2.3 billion in unrestricted cash, a solid position to fund strategic initiatives.

Deutsche Bank analyst Chris Woronka (Buy) says this "cash windfall will likely accelerate in 2022," which "should drive large buybacks."

Pretty impressive considering the company only emerged from Chapter 11 bankruptcy protection in June 2021 after filing for it in May 2020.

• Industry: REIT – hotel & motel
• Market value: $5.2 billion
• Analysts' consensus recommendation: 2.00 (Buy)

Ryman Hospitality Properties (RHP, $94.35) is one of those travel stocks that fly under the radar of many investors. This is because it's partly a hotel owner and operator and partly a hospitality business. But most importantly, it's a Nashville-based real estate investment trust (REIT).

Its most famous assets include the Grand Ole Opry and Ryman Auditorium, but it has many other revenue-generating properties held within its two operating segments: Hospitality and entertainment.

In addition to the two properties mentioned above, the entertainment segment includes a growing list of country brands, including Ole Red – a bar, restaurant and performing arts venue backed by singer Blake Shelton. The hospitality segment is made up of Gaylor resorts across Tennessee, Florida, Texas, Maryland and Colorado.

The REIT's overall revenues grew 79.1% in fiscal 2021 to $939.4 million. Revenue in its more significant hospitality segment spiked 68.8% year-over-year to $786.6 million.

Analysts expect strong revenue growth in fiscal 2022, with the consensus estimate at $1.6 billion – a 65.7% YoY improvement. The company is also projected to report earnings of $1.58 per share, a marked improvement over the $3.21 per-share loss it recorded in 2021.

Helping Ryman along are expansion plans, with the REIT opening a 5,000 to 6,000 square feet Ole Red location at the Nashville International Airport in the year ahead. Then, in 2023, it plans to open one in Las Vegas, its first location in the Western U.S. This one will be big, at four stories and roughly 27,000 square feet. Ryman plans to spend $30 million developing the building and Ole Red location.

It also hopes to grow the Block 21 mixed-use entertainment complex it acquired in October for $260 million. The Block 21 complex in Austin, Texas, includes a 251-room W Hotel and the Austin City Limits concert venue.

For investors looking for the best travel stocks, Ryman Hospitality Properties is an absolute diamond in the rough.

• Industry: Airlines
• Market value: $25.2 billion
• Analysts' consensus recommendation: 1.58 (Buy)

There's no denying that it has been a tough couple of years for Delta Air Lines (DAL, $39.31).

While the spread of COVID-19 kept passengers from flying early in the pandemic, the omicron variant kept the airline from fielding enough staff in late 2021 and early 2022. According to The New York Times, more than 8,000 Delta employees called in sick in the last weeks of 2021, forcing the company to cancel thousands of flights.

The good news for Delta shareholders is that the impact from omicron was short-lived.

"Omicron is expected to temporarily delay the demand recovery 60 days, but as we look past the peak, we are confident in a strong spring and summer travel season with significant pent-up demand for consumer and business travel," CEO Ed Bastian said in Delta's Q4 2021 press release.

And yes, it's true, the airline's financial results in 2021 were grim. Revenues on an adjusted basis were down 43% from 2019 to $26.7 billion. On the bottom line, its adjusted loss was $2.6 billion, down significantly from the $4.8 billion profit it reported two years ago.

Still, Delta generated $1.3 billion in free cash flow – the money remaining after a company has paid its expenses, interest on debt, taxes and long-term investments needed to grow its business – in 2021. While that is below the $4.2 billion it had in 2019, the fact that it was positive in such a tough business environment speaks to Bastian and his team's work last year keeping the business afloat.

And analysts expect DAL to swing to a profit of $1.49 per share in 2022, while bringing in revenues of $43.4 billion – both significant improvements over its results in 2021.

• Industry: Entertainment
• Market value: $249.4 billion
• Analysts' consensus recommendation: 1.79 (Buy)

Long-time Walt Disney (DIS, $137.00) shareholders have taken it on the chin in recent years. According to Morningstar, you have to go back 15 years for the company to deliver a higher annualized total return (10.31%) than the entire U.S. market (10.28%). Every other time frame, Disney underperforms.

The pandemic certainly didn't help.

In the fiscal year ended Oct. 2, 2021, Disney's revenues grew 3% over 2020 to $67.4 billion, while its segment operating income fell 4% YoY to $7.8 billion. On the free cash flow front, it generated $2.0 billion, 45% less than a year earlier.

So, why is DIS on a list of the best travel stocks?

For starters, its Disney Parks, Experiences and Products segment performed admirably despite COVID-19 affecting its first-half performance. On the top line, it had $16.6 billion in revenue, 3% less than a year earlier. However, its operating income was $471 million, 4% higher than in 2020.

Another piece of the puzzle for DIS – and an important one at that – is Disney+. In 2021, Disney grew its video-streaming direct-to-consumer (DTC) revenue by 55% to $16.3 billion. This accounted for 32% of Disney's Media and Entertainment Distribution revenues. That's 10% higher than in 2020.

Disney finished its fiscal year with 179 million DTC subscribers, including for Disney+, Hulu and ESPN+. Disney+ took the lion's share of subscribers, up 60% YoY to 118.1 million. Over the next two years, Disney will expand its streaming service into more than 50 new markets worldwide, including South Africa and Croatia.

Wellington-Altus Private Wealth portfolio manager Rick Stuchberry believes the Dow Jones stock is anything but dead. He's made it one of his top picks for 2022.

"People look at it and say 'Oh gee, well everything's going wrong at Disney,' but it isn't," Stuchberry said. "The market's taken it down. The streaming business looks pretty good, but the theme parks, they're not running it where they should be because of the COVID thing, but once the COVID passes? You're getting movie libraries, you're getting the whole package and Disney at a very good price now," the Cantech Letter reported.

If that's not enough, the highest-rated travel stock on this list hasn't been this cheap since 2019 based on its price-to-sales ratio of 3.7x.

If you’ve been racking up points on your favorite rewards card, now may be the time to use them.

Lenders can assign expiration dates on the rewards you earn. While some card issuers allow you to use the rewards you earned as long as your account is in good standing, airline and hotel credit cards work differently.

Some issuers offer expirations dates between one to three years, meaning you'll need to stay on top of when you earn the rewards and when they expire.

How to keep points and miles from expiring

If your miles or points are expiring sooner than you’d like, see whether you can reset the clock by transferring an amount to another loyalty program. For example, the Capital One Venture card allows cardholders to transfer miles to more than a dozen participating hotel and airline loyalty programs, including those of Air France, JetBlue and Wyndham Hotels & Resorts.

You can also:

• Use your co-branded credit card. Even if the card isn’t your go-to credit card, use it for a small purchase once a month
• Donate miles. This option will enable you to push out the expiration date for your points and miles to donate them to charity. Most loyalty programs partner with nonprofits and allow customers to donate points and miles to help various causes
• Shop through your loyalty programs’ online shopping portal. If you’re saving up points for a big trip but are at risk of losing them, use some for an item that has a low point value like a magazine subscription. Or use the shopping portal to purchase something you need, and earn some extra points for doing so
• Earn elite status with a hotel. Reward programs, like the one offered by IHG hotels, waives expiration dates as long as you maintain elite status. You'll need to stay at least 10 nights annually at one of their branded hotels to maintain silver elite status.
• Track your reward expirations: When budgeting, add a section for credit card rewards earned, what you plan to spend them on and when you need to use them. That way you have plans in place months in advance and the expiration date doesn't catch you off guard.

Can you reinstate expired points or miles?

In some cases you may be able to call the credit card or airline or hotel loyalty program’s customer service number and ask for your rewards to be reinstated. It never hurts to ask, especially if they recently expired. Two programs flexible with expired rewards include:

American Express might allow you to get back expired points. You'll have to pay a $35 reinstatement fee and are only entitled to the points lost during the last 12 months.

Meanwhile, American AAdvantage customers need to make a purchase to reactivate miles. Some restrictions apply such as you'll only gain back the miles you earned within the last two years, up to a 500,000-mile cap.

Be polite when making your request — a little friendliness goes a long way. 

Related Content

• Make the Most of Credit Card Rewards: Here's How
• Best Rewards Credit Cards
• Credit Card Closed? Here's Why and What to Do Next
• 6 Ways to Boost Your Credit Score — Fast

As new research on identity theft continues to roll in, it paints an unsettling picture of how good crooks are getting at their craft. Although the number of U.S. breaches fell in 2018, the number of records exposed containing sensitive, personally identifiable information (such as Social Security and financial-account numbers) spiked by 126% from the year before, according to a report from the Identity Theft Resource Center. “That tells us thieves aren’t committing less crime—they’re just getting better at it,” says Eva Velasquez, president and CEO of the ITRC.

One of the largest breaches disclosed last year was at Marriott International, which admitted in November that its Starwood guest reservation database had been hacked starting in 2014. That exposed up to 383 million guest records (though the number of guests affected is likely smaller because of multiple records). Many records contained data such as passport numbers, addresses, dates of birth and, in some cases, customers’ payment-card information. Quora, an online question-and-answer platform, also discovered a breach of account information including names, e-mail addresses and passwords of up to 100 million users. Hackers may try to enter stolen usernames and passwords into other sites—say, those of banks or retailers—in hopes that some customers reuse their log-in details across several accounts. “The chances that some of those credentials will work on one or more other websites are exceptionally high,” says Velasquez.

Fortunately, none of those 2018 breaches involved Social Security numbers—a key piece of information a thief can use to run away with someone else’s identity. But the 2017 Equifax data breach exposed the names, Social Security numbers, birth dates and other sensitive data of more than 145 million Americans. Those bits of info are permanent pieces of your identity, and they may sit idle for years before a criminal puts them to work.

The overall number of fraud victims fell significantly last year from 2017, thanks largely to a decline in fraud against existing credit and debit cards, according to a Javelin Strategy & Research report. But in both 2017 and 2018, the number of victims who faced some liability for fraud more than doubled from 2016, and so did the victims’ out-of-pocket costs. Incidents of fraud in which criminals open new financial accounts in a victim’s name or take over existing non-card accounts, such as brokerage or retirement accounts, were well above historical levels in 2017 and 2018 and “are much more difficult, and frequently expensive, for victims to resolve,” says Javelin.

Sophisticated schemes. Imposter scams, in which crooks claim to be representatives of the IRS, Social Security Administration or other entities in attempts to glean personal information or money from their targets, topped the list of consumer complaints submitted to the Federal Trade Commission in 2018—the first time such scams have reached the number-one spot. Scammers are taking aim at both consumers and businesses with increasingly realistic “phishing” e-mails, persuading individuals to click on links or attachments that could infect their computers with malware or prompt them to send sensitive information.

In early 2017, Pooja Raval found out that a staff member of the community health center where she worked as a physician had been tricked into e-mailing the employees’ W-2 tax forms—which contain a treasure trove of personal info, including Social Security numbers, addresses and income information—to a crook. Thieves can use such valuable pieces of data to impersonate victims in several ways—and since the breach, Raval, of Cambridge, Mass., has encountered a few of them. A criminal attempted to file a tax return and collect a refund in her name; the IRS noticed that something was amiss and sent Raval a letter before issuing the refund. She was instructed to bring the letter and various identifying documents to an IRS center so that she could get an Identity Protection PIN to file with her tax return. (Before she could make it to the center, the IRS sent her the PIN.)

Someone has repeatedly tried to use Raval’s in­formation to get health insurance. And a credit card was fraudulently opened in her name—despite freezes she placed on her credit reports, says Raval. Rather than being able to take steps to prevent identity theft, she says she has had to “wait and fix it retroactively.” Raval says she lacked support from her employer in repairing the damage, and she left the company early last year.

Stronger protections. If there’s a bright spot among the bad news, it’s that policymakers are paying attention. The Equifax data breach “has created a lot of interest in legislation both at the state and federal level to provide consumers with greater protection from identity theft,” says Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.

Last September, a federal law that made credit freezes free for everyone went into effect. The same law also requires the Social Security Administration to offer financial institutions a more streamlined system to ensure that the Social Security number a customer provides matches up with the name and birth date associated with that SSN. The measure is designed to cut down on synthetic identity fraud, in which criminals piece together real SSNs—often of children—with fake names and other bits of personal info to create new identities. More federal data-privacy laws may be on the way, too. The Senate Banking Committee recently sought input on the collection, use and protection of sensitive personal information by financial regulators and companies.

Private companies and the government have a big responsibility in taking better care of your personal data. But you can take steps to safeguard your identity, too.

Tax ID theft

More than your refund is at risk.

The problem: Your tax return could be attractive to an identity thief even if you are not owed a refund. Filing for a refund using a stolen identity is still the most prevalent form of tax ID theft, although new security protocols have made it more difficult. In the past, a criminal needed only your name, date of birth and Social Security Number (SSN) to file a tax return in your name, because he or she could make up the other details, including W-2 information, to claim an outsize refund. Now a thief may need more information to beat the system.

Although stolen identity refund fraud remains a threat, employment-related identity theft—in which a crook earns wages under your SSN—is on the rise, says Lisa Weintraub Schifferle, the Federal Trade Commission’s identity theft program manager. Another type of tax fraud involves someone claiming your children as his or her dependents.

You probably won’t know that you are a victim of tax fraud until the Internal Revenue Service tells you, or your electronic filing is rejected because a return has already been submitted using your SSN.

How to avoid it: Filing your return as early as you can—even if you owe money—is the only way to beat a thief to the punch. If you are filing electronically, stick with a secure internet connection. Don’t use unfamiliar tax software or a new tax preparer without screening for complaints and checking for scams.

Victims of tax fraud will be assigned an Identity Protection (IP) PIN. Residents of California, Delaware, Florida, Georgia, Illinois, Maryland, Michigan, Nevada, Rhode Island and the District of Columbia may request a PIN on their own for federal filing. However, if you’re approved, you must use the PIN for all future filings.

The IRS will never call or e-mail you and threaten to arrest or deport you if you don’t pay up. Normally, the IRS initiates contact by mail. But more recently, the agency started contracting with private debt collectors who may contact you on its behalf.

“We used to be able to say that the IRS will never call you to collect a debt, but now you may be called if you owe back taxes,” says Schifferle. However, you will be notified by letter first, and legitimate debt collectors will not argue if you want to call the IRS to verify their identity.

What to do if you’re a victim: The IRS is getting better at catching suspicious returns and verifying with the real people behind those SSNs, says Velasquez. And although the agency will help you sort out the fraud and return the refund you’re entitled to, the process could take months. You will need to file all future taxes with an IP PIN, and you may experience other hiccups, such as an inability to use the tool that automatically transfers your tax return data into a FAFSA (the Free Application for Federal Student Aid form) for tax transcripts affected by fraud.

If you receive a letter from the IRS noting suspicious activity, call the phone number provided in your letter to learn your next steps. Keep meticulous records of your conversations. Or, if your e-filing was rejected, report the incident to the IRS by filling out and sending in an IRS Identity Theft Affidavit, or Form 14039, by mail; if you report your identity theft at IdentityTheft.gov, you can submit the affidavit electronically. You will still need to file your taxes by the April 15 deadline (or request an extension), even if it means paper filing.

The IRS estimates that it will take 120 days to get your refund if one is due, or more than 180 days for complex cases. But Velasquez says that callers to the Identity Theft Resource Center have reported resolutions anywhere from around a month to a year later. You will receive a new IP PIN each year to include on your tax return.

Call your state department of revenue (find the link at taxadmin.org/state-tax-agencies) to put it on notice that your federal tax return was compromised, even if you’re not sure whether someone is trying to defraud you at the state level, says Velasquez. “A thief can only use your data to file one fraudulent federal return,” she says, “but can file across multiple states.”

They've got your (mobile) number

The Social Security number has been the most important unique identifier for decades, but a new kind of ID has emerged in the last decade or so as an alternative: your mobile phone number. When a company wants to verify your identity when you log in to an account from a new device, for example, it’ll often ask you to verify a code it texts to the mobile number they have on file. “But that’s not a piece of information that’s designed to be kept secret,” says Jake Williams, security principal of Rendition Infosec and a former NSA hacker. “We give it out, put it in our e-mail signatures.”

Over the past few years, some hackers have taken advantage of this vulnerability by executing a “SIM swap” hack, typically by calling a telecom company, saying they’ve lost their phone and need their number—your number—to be swapped to a new SIM card they bought from the store. If they can convince a customer support agent they’re you with a few bits of personal information, they’ll have access to any account you’ve secured with your phone number by resetting your password.

Most people aren’t prominent enough to be subject to this kind of attack, Williams says. People in the public eye or in high-risk positions are more likely to be targeted. For protection, it’s possible to port your phone number to a VOIP—an internet-based calling service—which is much more difficult to SIM swap.

Medical ID theft

Avoid health care hijackers.

The problem: Medical identity theft—when a criminal uses your health information to receive medical care or prescription drugs or file insurance claims in your name—is rare, but it’s hard to shake and likely on the rise.

In the fall of 2017, Tyler P. of Austin, Texas, received a call from the billing department of a local hospital for an emergency-room visit the month before, saying that he owed $7,000 for back surgery. Tyler had been on a plane to Memphis the day the hospital said he had checked in for the procedure. After losing his wallet a few months earlier, Tyler had frozen his credit and was scrutinizing all his bills for any sign of fraud. But with just his driver’s license and an insurance card, a thief had all he needed to ask for a back operation and a week-long stay in recovery. “It was nuts,” Tyler says.

Tyler made a flurry of phone calls, first to his insurance company, then to the police, then to the hospital to begin disputing the charges. But the real challenge was untangling the criminal’s medical records from Tyler’s. “There were a lot of people [at the hospital] who didn’t know what to do with me,” he says. Eventually, Tyler connected with an administrator in the billing department who agreed to work with him.

Beyond the bill, having incorrect information in a medical record can have deadly consequences years after the crime; for example, you could be denied a certain treatment due to an allergy or condition on records left behind by an identity thief.

How to avoid it: Your health providers are likely to ask for your Social Security number, but your health insurance information is usually enough to receive and manage care, especially if you’ve used the provider in the past. Thankfully, the Social Security Administration stopped printing Medicare cards with SSNs on them in 2018.

Review statements you receive from your medical or insurance providers. If you recently received treatment but the explanation of benefits seems to differ even a little, don’t write it off as a mistake. And if you receive mail from providers you haven’t used, don’t toss it; thieves may have used your identity to get care.

What to do if you’re a victim: File a police report, then contact your medical providers and ask to see a copy of your records. Some institutions may balk at handing them over if you say they’ve been compromised with someone else’s medical data, but the right to request your records overrules an identity thief’s right to privacy, says the Federal Trade Commission.

Ask your provider for an “accounting of disclosures” to have a paper trail of every in­stitution to which they’ve sent a copy of your medical records. As you contact providers, send time-stamped letters explaining your situation along with a copy of your police report. If you catch the fraud early, you may be able to contact the billing department of your provider and ask to cancel the debt. But if the debt is passed on to an outside collector, you’ll need to use the protections offered by the Fair Credit Reporting Act and Fair Debt Collection Practices Act—such as the right to an investigation—to clear things up, according to Pam Dixon, founder of the World Privacy Forum.

Credit and debit card fraud

Safeguard your plastic and your account information.

The problem: The U.S. transition to credit and debit cards equipped with microchips—and payment terminals that accept chip transactions—is reducing fraud on existing card accounts. If ID thieves try to intercept chip transactions, they can’t get enough usable data to create counterfeit cards. Losses from fraud on existing card accounts fell from $8.1 billion in 2017 to $6.5 billion in 2018, according to a recent report from Javelin Strategy & Research.

But payment terminals at gas pumps, in particular, are vulnerable to “skimming” of customer card data by crooks because gas stations don’t yet face liability for counterfeit-card transactions at the pump. Starting in October 2020, gas stations that haven’t upgraded to chip terminals at the pump may incur liability for such transactions.

Fraudsters are also going online to steal payment credentials. Through a method called formjacking, they embed malicious code on retail websites to grab customers’ payment information. Such fraud affected more than 4,800 websites per month last year, on average, according to a recent report from Symantec. Small and midsize retailers are often targets, although well-known companies such as British Airways and Ticketmaster have been hit, too.

How to avoid it: Don’t store your card information on retail sites or apps. “I never save my payment information. It takes 10 seconds to type it in,” says Carl Carpenter, CEO of security firm Arrakis Consulting. Certain issuers—including Bank of America, Capital One and Citi—offer virtual numbers for most of their credit cards. Rather than enter your card’s real number when shopping online, you use a different number that’s linked to your card account.

Gas-pump skimmers are hard to spot because they’re typically installed inside the machine. Steer clear of pumps at the edges of the station. Crooks are more likely to place skimmers there, where they can insert the devices unnoticed. At the ATM, shield your hand as you enter your PIN in case a thief has put a camera on the machine to capture your PIN (along with a skimmer to record your card data).

It’s not a bad idea to get notifications from your financial institutions—whether by e-mail, text message or through a mobile app—each time a transaction goes through on your credit or debit card. Sometimes thieves make small purchases to test a card, which you may not notice if you receive alerts only for large transactions. “Some people say they don’t want to be bothered. The truth is, you do want to be bothered,” says Adam Levin, founder of identity-protection service CyberScout.

Consider paring the number of payment accounts you use so that you have fewer to track, suggests Velasquez. If possible, use a credit card for most purchases. Legally, your liability for fraudulent purchases with a credit card is capped at $50—and you’ll owe nothing if your card number (but not the card itself) is used fraud­ulently. Plus, the major card networks have zero-liability policies for fraudulent account use, and credit cards come with stronger liability protections than debit cards. And with debit and prepaid cards, you may owe late penalties and overdraft fees.

What to do if you’re a victim: Immediately call your bank or credit card issuer if you see unauthorized transactions. Or your bank may notice first that something is amiss. You’ll receive a card with a new number. If a criminal used your financial account’s online log-in information to steal funds, change your username and your password.

Liability for funds taken with a stolen debit card varies depending on how quickly you report the issue; you’re off the hook if your card number (but not the physical card) is stolen and you tell the bank within 60 days of it sending your statement. If you promptly notify your financial institution, you’ll likely get the money back—but you may have to wait until the bank processes your claim.

Protect your kids' data

The federal law that mandates free credit freezes includes provisions for freezing the credit records of children younger than 16. If you’re a guardian or conservator or have a power of attorney for someone—say, an elderly parent—you can freeze his or her files, too.

If your child doesn’t have a credit report, the agency must create one and freeze it upon a parent or guardian’s request. You’ll have to send the request by snail mail with copies of supporting documents, such as your child’s birth certificate and your driver’s license. (Freezing a child’s Equifax file, however, has been difficult and confusing for some customers, so you may want to wait until the agency works out the kinks.)

Children are attractive targets for ID thieves because it may be years before anyone notices that a child's identity has been snatched. Take care to keep track of a child’s PINs because several years may pass before the child needs to lift the freeze, says Velasquez. She advises telling a trusted family member or friend where to find your children’s PINs as backup.

Unusual mail in a child’s name—such as pre­approved credit card offers or debt-collection notices—is an indication that his or her identity may have been stolen. Tell your children not to hand over their personal information online (or anywhere else) without your permission.

The power of putting your credit on ice

The case for placing a security freeze on your credit reports is stronger than ever, even if you haven’t yet suffered identity theft. Thanks to a federal law that went into effect last year, both placing and lifting a freeze is free for every­one. And when you ask to remove a freeze online or by phone, the credit agencies—Equifax, Experian and TransUnion—must lift it within an hour of receiving your request.

A freeze is designed to stop a criminal in his tracks if he attempts to open a credit line in your name. (It does not, however, block criminals from accessing accounts you already have.) A lender cannot view your credit report—a collection of data about your credit activity—in response to a new credit application when a freeze is in place. You must contact each credit agency separately to place and remove freezes. For good measure, you could also freeze your report with Innovis, a fourth credit agency, at innovis.com or by calling 800-540-2505.

If you run into roadblocks while dealing with the credit agencies, you can enlist a pro to help. Representatives of the Identity Theft Resource Center’s free services (call 888-400-5530) will walk you through the steps. Or, if you subscribe to an identity-theft monitoring service, its reps may assist you. If you’re getting nowhere after repeated attempts to work with a credit agency, try submitting a complaint to the Consumer Financial Protection Bureau. It will forward your complaint to the agency and aim to get you a response within 15 days.

Managing your freeze. When you place a freeze, each agency will give you a PIN, which you may later need to provide to unfreeze the reports. Equifax and TransUnion now allow customers to thaw their reports through password-protected online accounts (no PIN required), but you’ll still need the PIN to lift a freeze over the phone. Keep your PINs and passwords in a safe place.

Be aware that new creditors aren’t the only entities that may want access to your credit report. Some banks, for example, ping a potential new customer’s credit report for identity verification when he or she applies to open a checking or savings account. If you want to use a third-party service that offers free credit scores, access to your credit reports or monitoring of your reports for significant changes, you may have to lift the freeze when you enroll—or, in some cases, the service won’t work at all. Ask a service which credit agency’s report it accesses—you may have to lift the freeze at only one agency. To create a My Social Security account online, for example, you’ll have to remove a freeze temporarily only on your Equifax report; you can re-freeze the report after you’ve enrolled (you won’t have to lift the freeze if you go to a Social Security office to open the account). Whether or not retirement is near, it’s smart to create an account now to prevent a thief from opening one in your name and using it to collect benefits.

Stay vigilant. Even if you’ve frozen your credit reports, keep tabs on them. Every 12 months, you can get a free copy of your report from each agency at annualcreditreport.com. Make sure that you recognize each account listed.

A credit-monitoring service, which regularly scans your credit report and sends you alerts of significant changes, may be useful even if your reports are frozen. For example, a change in address may indicate that someone has taken over one of your existing accounts and re­directed your mail.

You can get free monitoring of all three reports through CreditKarma.com (for Equifax and Trans­Union monitoring) and FreeCreditScore.com (Experian). Some paid identity-theft monitoring services cover all three credit reports and offer other features, such as scanning of the dark web for your personal information and remediation services if you do become an identity-theft victim (see Early Alert Systems for Identity Theft).

If a suspicious account shows up on your credit report, contact the lender’s fraud department. If someone has stolen your identity, file a police report and fill out an Identity Theft Report at the Federal Trade Commission’s IdentityTheft.gov website, then send those documents to the lender and the credit agencies. The agencies must remove fraudulent information from your reports if you send them the FTC form.

Phishing

Don’t get hooked by fake messages.

The problem: Phishing can come in the form of e-mails, texts, social media messages or phone calls that try to extract personal information from you or infect your device with malware. These devious messages may address you by name, appear to come from a person or company you recognize, and mimic the look and tone of communications from your bank, social media accounts or employer.

If you fall for a phisher’s e-mail or other message and click on a nefarious link, or open a malicious attachment, “your computer or phone gets owned by the bad guys,” says Stu Sjouwerman, CEO of KnowBe4, a company that provides security-awareness training. Criminals can monitor your activity, steal your log-in credentials to sensitive websites, spy on you by turning on your camera or microphone remotely, hold your data for ransom, and more.

How to avoid it: KnowBe4’s top-clicked phishing subject lines in the last three months of 2018 included “Password Check Required Immediately,” as well as the timely “Your Order with Amazon.com,” and “Happy holidays! Have a drink on us.” Kelvin Coleman, executive director of the National Cyber Security Alliance, says phishing campaigns often materialize in relation to big health scares, natural disasters, tax season and elections.

Scan e-mails for visual cues that something is off, such as grammatical errors, misspelled words or distorted company logos, says Brian Lapidus, head of identity theft and breach notification at security firm Kroll.

Examine the “from” e-mail address to see if the user name and domain are recognizable, or if they contain subtle typos, such as “@amazom.com.” Hover over hyperlinks with your cursor to see if the link that pops up matches the web address in the message. Instead of clicking on links from e-mails sent by, say, your bank or brokerage, type the web address into a separate tab. A fishy link may lead to a realistic mockup of the institution’s website, complete with the padlock symbol and “https”—widely seen as signs of authenticity—in the URL, says Stacy Shelley, vice president of marketing at PhishLabs, a cybersecurity firm.

Rather than opening attachments you don’t recognize, use the “preview” function if your e-mail has one to view them safely. Better yet, contact the sender in a separate e-mail or text to ask if he or she e-mailed you an attachment. Be extra careful when viewing e-mail on a mobile device, where you can’t hover over a link or easily see a full URL after clicking on a link.

Equip your devices with anti-malware software and regularly install security patches and updates. (For more tips, see lockdownyourlogin.org.) Set up two-factor authentication where possible, and back up files once a month to the cloud, an external hard drive or memory stick in case your device needs to be wiped clean or a criminal holds your data for ransom.

What to do if you’re a victim: Change the passwords to your financial accounts and other important websites as soon as possible, pre­ferably from another computer in case a keylogger is recording these new passwords on your compromised device. Run a malware detection tool, such as Malwarebytes, to see if your computer was infected. If your device has been locked with ransomware, try searching the internet for unique words in your ransomware note to see if you can find a free decoder.

Or find a pro to help. Best Buy’s Geek Squad charges $100 for remote virus and spyware removal, or $150 for in-store or at-home help. Staples charges $100 for remote service, $160 for an in-store fix, and $300 for a technician to visit your home. McAfee Virus Removal Service ($90) and Norton Spyware & Virus Removal ($100) will help you remotely as well.

How to secure your devices

Ask any security expert how consumers most often shoot themselves in the foot, and the response will almost certainly be passwords. The most common password in the world is “123456,” followed by “password.” We are bad at passwords.

The best solution is a password manager. LastPass offers a free version of its software that will generate, store and save randomized passwords across all your devices, all locked behind a single master password. Many browsers function like password managers, offering to save your log-in information. Some, including Google Chrome, will even generate a random password for you. But the password requirements for your Google account aren’t very strict, with no uppercase letter, number or symbols needed. If your master password is easy to crack, all the accounts saved inside could be at risk.

Another crucial practice for securing your devices is two-factor authentication, or 2FA. You’ve experienced 2FA if a service has sent you an e-mail or text to confirm your identity before signing in. If an account gives you the option to require 2FA whenever you log in, it’s generally a good idea to use it. The extra step prevents a thief with your bank password from accessing funds remotely.

Not all 2FA systems are equal, however. If an account only offers authentication via basic text messaging, you may be vulnerable to a “SIM swap”. For now, this is still rare, and “having 2FA is better than not having it, no question,” says Jake Williams, principal of Rendition InfoSec and former NSA hacker. The website turnon2fa.com offers step-by-step instructions for activating the feature across dozens of websites, from Facebook to Fidelity.

Where to get help

Tap these resources to protect yourself from ID theft, to get assistance if you do become a victim and to receive alerts about new scams.

• The nonprofit Identity Theft Resource Center helps victims resolve identity theft. Call the ITRC at 888-400-5530, or start a live chat online at idtheftcenter.org.
• The AARP Fraud Watch Network hotline (877-908-3360) offers victim assistance, and you don’t have to be an AARP member to use it.
• The Federal Trade Commission’s IdentityTheft.gov walks victims through the steps to recovery depending on the type of fraud they experienced and offers sample letters to send to credit agencies, lenders and other involved parties. FraudSupport.org also guides victims to resources.
• For detailed instructions on how to place a credit freeze, including web links and phone numbers for the credit agencies, see Freeze Your Credit in Three Steps.
• To stay up-to-date on the latest scams, you can sign up for alerts at fraud.org, consumer.ftc.gov/features/scam-alerts and aarp.org/money/scams-fraud.
• To see if any of your e-mail addresses or accounts have turned up in a data breach, go to HaveIBeenPwned.com. If you turn up a positive result, it’s time to update your passwords.
• If a suspicious e-mail shows up in your inbox, use Google’s Safe Browsing URL checker to see if a website has been reported as dangerous to visit. This can include malware-laden cesspools as well as legit sites that have been compromised. See more at transparencyreport.google.com.