Credit freezes have been free at Equifax, Experian and TransUnion since 2018. They are built to block one of the most common forms of identity fraud: new credit applications opened in your name. But the latest numbers show why a freeze cannot be your only line of defense. 

Javelin Strategy & Research’s 2026 Identity Fraud Study found that traditional identity fraud losses reached $27.3 billion last year, affecting 18 million victims. New account fraud saw the sharpest rise, with victims jumping 31% from 2024 to 2025.

The problem is that not every fraud attempt comes through your existing credit file. The Federal Reserve has flagged synthetic identity fraud as one major gap. 

This type of fraud pairs a real Social Security number (SSN) with a fabricated name and date of birth, which can bypass a freeze entirely. A freeze placed on your name does not stop a credit application filed under a name that does not yet exist on any bureau file. That is where the limits of a credit freeze become much clearer.

YOU DON’T NEED AN SSN TO OPEN A CREDIT CARD: SCAMMERS KNOW THAT

Sign up for my FREE CyberGuy Report

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com, trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

What a credit freeze can block

A freeze restricts access to your credit file at all major credit bureaus. Without access to that file, lenders deny the application. Most new credit applications run through that pull, which is why a freeze is the most direct way to block fraudulent ones.

The Federal Trade Commission (FTC) has logged 503,450 reports of credit card fraud in the first three quarters of 2025 alone, the most common identity theft category tracked by the agency. Credit card fraud and loan or lease fraud both run through credit bureau-based applications. Bank account takeover, employment fraud and tax refund fraud do not require a bureau pull, and a freeze does nothing for them. Freezes are placed at each bureau separately and are not shared across the three.

Why credit freeze limits matter with synthetic identity fraud

Synthetic identity fraud builds a person who doesn’t exist. A scammer takes an SSN stolen in a breach, attaches a name that has never been on a credit file, adds a fabricated birthdate and address and submits it as a new credit application. The bureaus, seeing an SSN they recognize and a name they don’t, open a fresh file under the new combination. The file is thin at first. The scammer then works it slowly with small approved cards, a line or two of credit and a few months of clean payments. By the time it looks real enough for a meaningful credit limit, the scammer maxes it and vanishes.

By the end of 2024, U.S. lenders faced more than $3.3 billion in exposure from synthetic identity fraud, the highest level TransUnion has reported. The Federal Reserve’s most recent Risk Officer Report also found that financial institutions are seeing more virtual and synthetic identity account openings, and that detection often happens too late. 

In other words, this is exactly the kind of fraud a credit freeze may never catch. The freeze you placed on your own file never touches the application, because it isn’t filed in your name. The bureaus treat it as a separate consumer.

DON’T LET THIS CREDIT CARD FRAUD NIGHTMARE HAPPEN TO YOU

What credit freeze limits leave exposed

Synthetic identity fraud isn’t the only kind of fraud a freeze misses. Any fraud that doesn’t require a bureau pull bypasses it.

• A scammer who already has access to your existing credit card account doesn’t open a new one. They change the email on file and start charging.
• A fraudulent tax return uses your SSN to claim your refund before you file.
• Medical identity theft submits insurance claims under your name.
• A 401(k) takeover can happen entirely through a recordkeeper’s call center, with no bureau pull at any step.

Why a credit freeze isn’t set and forget

A freeze only helps when it’s in place at all three bureaus and stays there. Neither is guaranteed.

You set the freeze at Equifax, Experian and TransUnion separately. A freeze at one isn’t a freeze at the others. Lenders don’t pull from all three on every application, so an unfrozen file is enough for a fraudulent application to clear.

Freezes are also meant to be lifted. The FTC says online requests take effect within a minute, and federal rules require phone requests within an hour. That’s useful when you’re applying for a card. It’s also a window if you forget to put the freeze back on.

A freeze is a point-in-time control and can’t watch your file the rest of the day.

Credit monitoring and identity theft protection services can monitor all three credit bureaus continuously and send alerts within minutes of any new account or inquiry, whether your freeze is in place or lifted. They also scan the dark web and data broker listings for SSNs and other personal data, the raw material behind synthetic identity fraud.

What to do beyond a credit freeze

A credit freeze is still worth having, but it works best when you pair it with protections that watch the places a freeze cannot see.

Turn on alerts for banks, credit cards and retirement accounts

Set up text, email or app alerts for withdrawals, new logins, password changes, address changes and large purchases. These alerts can help you spot account takeovers quickly, especially if a scammer already has access to one of your existing accounts.

Check your credit reports regularly

Review your credit reports for accounts, addresses, employers or inquiries you do not recognize. A credit freeze can help block many new applications, but your reports can still show warning signs that someone is trying to use your personal information.

Use strong passwords, a password manager and two-factor authentication

Create a unique password for every important account, especially email, banking, credit card, health insurance and retirement accounts. A password manager can create and store those passwords for you. Two-factor authentication (2FA) adds another layer of protection, so a stolen password alone may not be enough for a scammer to get in.

Watch for tax and medical identity theft

A credit freeze will not stop someone from filing a tax return or insurance claim in your name. Watch for IRS notices, rejected tax filings, bills for medical care you never received or insurance explanations of benefits that do not match your records.

HOW SCAMMERS BUILD A PROFILE ON YOU USING DATA BROKERS

Limit how much personal information is online

Data broker listings can expose your address, phone number, relatives and other details scammers use to build more convincing attacks. Some identity theft protection services scan data broker listings and dark web sources for exposed personal information, including SSNs and other details criminals can use to build synthetic identities.

How a credit freeze and identity protection work together

After you add account alerts, stronger passwords and regular credit checks, identity protection can add another layer of monitoring. A freeze blocks new credit applications at the bureau level. Identity protection watches what does not pass through those checks.

Many identity theft protection services monitor the major credit bureaus and alert you to new accounts, inquiries or changes to your file. Some also scan dark web marketplaces and data broker listings for exposed personal information, including SSNs and other details criminals can use to build synthetic identities. If fraud appears, some plans include fraud resolution support and identity theft insurance to help with eligible recovery costs.

No service can prevent every form of identity theft. A freeze and identity protection together cover what neither does on its own.

How to check if your personal information was exposed

If you are unsure whether criminals have already exposed your information, take action now. Start with a free identity breach scan to see whether your data appears in known leaks. Early detection gives you more control and helps you respond before fraud spreads. Check whether your personal information is already being used for identity theft, fraud or appearing on the dark web. See my tips and best picks on Best Identity Theft Protection at CyberGuy.com

Kurt’s key takeaways

A credit freeze is one of the smartest moves you can make after a breach or identity theft scare. It can block many new credit applications opened in your name, but it does not protect every part of your financial life.

The biggest gap is synthetic identity fraud. Criminals can use a stolen Social Security number with a fake name or birthdate to build a new credit file that your freeze never touches. Account takeovers, tax refund fraud, medical identity theft and 401(k) scams can also happen without a credit bureau pull.

That is why a freeze should be your first layer, not your only layer. Keep freezes active at Equifax, Experian and TransUnion. Then add alerts, account monitoring, strong passwords, two-factor authentication (2FA) and identity protection that can spot activity outside your frozen credit file.

Have you ever had a credit freeze in place but still worried your identity was exposed? Let us know by writing to us at CyberGuy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.

A robot mower sounds like the kind of yard tool that should make life easier. It cuts the grass, saves you time and quietly handles a chore most people would rather avoid.

But a new independent security report raises a bigger concern about what may be happening behind the scenes. Security researcher Andreas Makris says Yarbo robots, which include autonomous lawn mowers and snow blowers, contained serious flaws that could expose owners to remote access, live camera viewing and Wi-Fi credential theft. The report says roughly 6,000 robots are currently affected.

Yarbo has since responded through its Security Center, saying the core technical findings are accurate and that it has started rolling out security fixes. Still, the report raises important questions about how much access smart yard devices should have inside your home network.

Sign up for my FREE CyberGuy Report

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

SMART HOME HACKING FEARS: WHAT’S REAL AND WHAT’S HYPE

Yarbo robot security risk: What the report claims

Makris says Yarbo robots ship with a persistent remote access setup that uses a tunnel to reach the robot over the internet. According to the report, the robots also include a hardcoded root password shared across the fleet and a remote connection method tied to the robot’s serial number. That is important because “root” access gives someone deep control over the device. In simple terms, it can mean administrator-level access to the system inside the robot. The report also says the remote tunnel runs automatically, can restart itself if stopped and may return if removed. That raises a major concern for owners because they may not have a simple switch in the app to shut it off.

Why a robot mower could put your home network at risk

Smart devices often need internet access to work. App controls, software updates, diagnostics and support all depend on that connection. However, Makris claims Yarbo’s setup creates a much riskier situation. He says remote access appears to be built into every robot, rather than turned on only when an owner asks for help. The report says an attacker with the right information could potentially reach a robot remotely, access internal functions and use it as a foothold on the owner’s network. So while a robot mower may seem harmless as it cuts grass, rolls through the yard or parks near the garage, that same machine can also connect to your Wi-Fi, carry cameras and sit close to your home every day.

5 WORRISOME PRIVACY CLAUSES HIDDEN IN SMART HOME DEVICES

Yarbo camera access concerns for homeowners

According to the report, Yarbo robots can have multiple camera feeds. Makris says that if someone gained root access through the remote tunnel, they could potentially view the robot’s surroundings remotely. That could include a driveway, backyard, entryway, garage area or outdoor space where your family spends time. For homeowners, this concern goes beyond a glitch. A camera-equipped device outside your home deserves the same scrutiny as a camera inside your home.

How saved Wi-Fi passwords could be exposed

The report also says an attacker with root access could retrieve saved Wi-Fi credentials from the robot’s system. That would be a serious issue because many homes use one main Wi-Fi network for phones, laptops, tablets, smart TVs, security devices and more. Once someone has your Wi-Fi password, the risk can spread. They may try to reach other connected devices or look for weak spots that were never meant to face the internet. This is why connected outdoor equipment should never get a free pass. A lawn robot may be housed outside or in the garage, but its network access can reach inside.

What Yarbo says now

After Makris published his report, Yarbo posted a response to its Security Center page on its website. The company said the report identified serious vulnerabilities in its remote diagnostic, credential management and data-handling systems. Yarbo co-founder Kenneth Kohlmann also said the “core technical findings are accurate” and acknowledged that the company’s initial response did not reflect the seriousness of the issues.

Yarbo says the problems primarily involved historical design choices in parts of its remote diagnostic, access management and data-handling systems. The company also said some legacy support tools did not give users enough visibility or control. Yarbo said some authentication and credential systems did not meet its current security expectations.

A NEW SECURITY SEAL OF APPROVAL IS COMING TO YOUR SMART HOME GADGETS

What Yarbo says it has fixed

Yarbo says it has taken several remediation steps since the report was published. According to the company, it has retired historical fleet-level root credentials, revoked shared FRP remote-access credentials and disabled related FRP server-side connection paths.

The company also says updated versions of the Yarbo mobile app no longer contain static credentials or embedded access mechanisms capable of directly authenticating against backend services. Yarbo says it has removed reporting scripts, legacy dependencies and non-essential network configurations that no longer served a necessary product function.

However, Yarbo says more work remains. The company says it is rebuilding its credential management system so any remaining shared-credential models can be replaced with individually scoped, per-device credentials. Each credential would support independent rotation and revocation.

Why Yarbo data connections raise privacy questions

The report also points to connections involving Hanyangtech, Yarbo’s Shenzhen-based parent company, along with ByteDance Feishu, Tencent TDMQ and Chinese DNS resolvers. Makris says some robot telemetry can be sent to ByteDance’s Feishu platform and that certain infrastructure choices are built into the firmware.

Yarbo now says it has removed reporting scripts, legacy dependencies and non-essential network configurations that no longer served a necessary operational or product function. The company also says historical servers and legacy access channels will continue to be phased out as part of its remediation work.

The core issue is transparency. Owners should know where their devices send data, which companies can access it and whether those connections are essential for normal use. That level of clarity matters even more for devices with cameras, location data and access to home networks.

What this means for you

If you own a Yarbo robot, this report means you should treat it like any other connected device with cameras, location data and access to your home Wi-Fi. Yarbo says it is pushing security updates automatically to connected devices. That means owners should connect their Yarbo long enough to receive the latest security update. After that, consider moving it back to a guest network or an isolated smart-device network.

CyberGuy reached out to Yarbo, and a representative said the company encouraged readers to refer to the Security Center at yarbo.com/pages/yarbo-security-center for the latest verified information and ongoing updates.

How Yarbo owners can reduce the risk

You may not be able to control everything happening inside the robot, but you can take a few practical steps to limit what it can reach on your home network.

1) Put the robot on a guest network

Do not keep your robot mower on the same network as your laptop, phone or security cameras. Use a guest network or a separate smart-device network if your router supports it.

2) Change your main Wi-Fi password if you are concerned

If your robot has connected to your main Wi-Fi and you are worried about exposure, change the Wi-Fi password. Use a strong, unique password and store it in a trusted password manager so you do not have to reuse or remember it. Then reconnect only trusted devices. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

3) Check your router for unknown devices

Open your router app or admin page and review connected devices. Look for anything unfamiliar. Remove devices you do not recognize.

4) Limit what the robot can access

Some routers let you isolate guest devices. Turn that on when available. This can keep the robot from seeing other devices on your network.

5) Ask Yarbo for specific answers

Owners should ask what remote diagnostic access remains, whether credentials are now unique per robot and whether the company will provide a true off switch for remote diagnostics.

6) Keep the robot updated, but stay cautious

Yarbo says security updates are delivered automatically once devices connect to the internet. Connect the robot through a guest network or an isolated smart-device network so it can receive the latest update without giving it access to your main devices.

Join CyberGuy Live: Lock Down Your Phone in 30 Minutes (Saturday, June 13, 10 am ET)

Your phone holds your email, passwords, photos, banking apps and personal data. In this free, live online class, Kurt the CyberGuy will walk you step by step through simple phone security fixes you can do in real time. You’ll learn how to improve your privacy settings, spot the latest phone scams, use trusted security tools and walk away with a simple checklist to stay protected. Register here: CyberGuyLive.com

Kurt’s key takeaways

The Yarbo report is a reminder that convenience can come with hidden access. A robot mower may seem like a helpful yard tool, but under the hood, it can act like a connected computer with cameras, location data and a path into your network. The biggest concern is control. Owners need to know who can reach their devices, when remote access turns on and whether they can shut it off. A company should not expect you to trust a black box sitting on your Wi-Fi. If you own one of these robots, isolate it from your main network and push Yarbo for clear answers. If you are shopping for any smart yard device, ask about security before you ask about battery life.

Would you let a smart yard robot onto your Wi-Fi if the company could not clearly explain who can access it and when? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.