Social engineering is a somewhat misunderstood and often overlooked form of stealing someone’s identity.

While it still requires a certain amount of finesse and skill, it’s not quite on the same technical level as hacking into a major bank’s computer network and rerouting funds, for example. Instead, social engineering is more like playing detective, letting the bad guy gather clues in order to steal your identity.

Every bit of information about you—your name, birthdate, phone number, email address, Social Security number, and more—is a piece of your identity puzzle. With enough pieces of the puzzle, a thief can commit a crime; with all of the pieces, a thief can obviously commit bigger, more devastating crimes.

What can a thief do with just your email address? Depending on your address, it might actually be very easy for someone to figure out what platform you use to host your email. It might be a free host site like Yahoo, Gmail, or Apple’s proprietary platform (me.com), just to name a few, or it might be assigned by your internet service provider, like Att.net, Comcast.net, or Cableone.com. In any case, the last part of your email address, after the @ symbol, tells the thief where to begin. With just your email address, thieves can attempt to login by guessing common passwords or using “roboguessing” software.

If the thief is lucky and you’ve used a very common password (like 123456 or “password”), then they’ve gained access to your email account. They immediately change your password and lock you out, then begin going to major websites around the internet. All they have to do is click “forgot my password” and enter your email address, then change your password on sites like Amazon, PayPal, Facebook, or Dropbox. After taking control of your accounts, it’s a very simple matter to pretend to be you. They might shop on Amazon, divert funds out of your bank account or credit card account on PayPal, post embarrassing photos and hate-filled text on your social media accounts, or even log into your cloud storage and steal work documents. And it’s all because you didn’t have a strong password on your email account.

There are other ways to get your information, of course. Perhaps the thief has stolen your smartphone and now has your cell phone number. A simple peek through your old text messages can help them converse with your friends and relatives, easily asking questions that provide the answers to your account security questions. Also, thanks to text message authentication—and the fact that you didn’t passcode protect your phone—they can request text messages containing crucial password reset codes. This step allows them to log into your mobile wallet app, your social media accounts, your online banking, and once again, your email account.

But breaking into your email or stealing your physical phone are not the only pathways someone can use social engineering to nab your identity.A practice known as “phone hijacking” happens when someone gets enough information about you from a variety of sources, then contacts your cellular provider. Pretending to be you and using a plausible story like a damaged phone, they have your phone number “ported” to their device. Once the transfer is complete, they break into your accounts thanks to text messages containing the necessary codes to change your password.

So what can you do to protect yourself?

1. First and foremost, use strong, unique passwords on all of your accounts.

2. From there, make sure you’re changing those passwords and your security questions frequently.

3. Next, make sure your devices are passcode-protected in the case of physical theft.

4. Finally, be aware of what information you’re putting out there, both online and in everyday life.

Quite often information is gleaned from your Facebook or other social media accounts, such as your hometown or high school you attended. If your mom is one of your Facebook friends, for example, be very careful about posting a “happy birthday, Mom!” message since her maiden name may be in her username. Be smart about what you share, and always think about how someone with harmful intentions can use it against you.

Source: Identity Theft Resource Center