Over the past 10 days, dozens of faculty and staff members have had their personal contact information, photos and sometimes addresses broadcast online by anonymous right-wing social media accounts seeking to punish them for comments they allegedly made about the death of conservative firebrand Charlie Kirk. This public campaign of online harassment and intimidation, known as doxing, is “off the charts” right now, said Heather Steffen, an adjunct professor of humanities at Georgetown University.

Steffen is also the director of Faculty First Responders, a group created by the American Association of University Professors in 2020 to track and help faculty members targeted by right-wing media. Doxing has been on the rise since protests over the Israel-Hamas war fractured campuses in 2023, but educators are increasingly coming under attack in “ideologically motivated efforts” to silence dissent, according to an August report from the National Association of Attorneys General. “This shift signals the evolution of doxxing from isolated conduct to a more coordinated form of digital persecution,” the report said.

While the attacks are becoming more frequent and sophisticated, higher ed employees can take steps to minimize the risk of doxing, as well as the damage incurred if it does happen.

1. Keep your personal and work accounts separate.

Remove employers’ names from all of your personal social media accounts—if it’s in your bio, take it out, Steffen advised. “You can state in your bio on social media that your views do not represent your employer, and you don’t need to name the employer in order to do that,” she said.

In many cases, work may demand that you list some contact information publicly, but don’t use that information for personal business, said Rob Shavell, CEO and co-founder of DeleteMe, a service that will find and try to wipe members’ personal information from the web. “The data brokers are getting very good at correlating [work and personal] data and putting them into one dossier,” he said. These days, when DeleteMe’s privacy advisers scan the web for members’ information, they return an average of 750 pieces of personally identifying information per person, up from 225 pieces four years ago.

Also, be aware of what devices, accounts and Wi-Fi networks you’re using, and be sure not to use work-provided equipment or resources for anything other than work, Steffen added.

2. Scrub your information from data-broker websites.

Data brokers collect and sell personal information. Companies like DeleteMe and Incogni will remove your personal information from data-broker websites for a fee; DeleteMe charges $129 per member annually. But for anyone who wants to take a do-it-yourself approach, DeleteMe has published free opt-out guides that walk readers through removing their information from the sites, including Experian, TransUnion and CoreLogic. Steffen also suggests following the steps outlined in the Big Ass Data Broker Opt-Out List, a Github project that explains how to scrub your information from data brokers.

3. Use an email mask or alias when possible.

“Masked emails or phone numbers or even credit cards allow you to sign up for things or make calls or buy things without revealing to every counterparty your real personal information,” Shavell said. DeleteMe offers masking, as do companies like Apple and NordPass. These services create a faux address that will then forward emails to your real account. Google also offers free alias phone numbers through Google Voice that will forward calls to your personal phone. In addition to better security, masking also decreases spam and phishing risks.

4. Breathe before you post (and remember the risk of screenshots).

Even if you’re posting to a private account—say, a “close friends” story on your personal Instagram—anything you put online can still be screenshotted and shared widely, Steffen warned. “Anytime you’re posting or reposting something, a good tool can be to pause and think: Would I be comfortable with my employer, my students and my community knowing that I hold this view, and would I be comfortable with them seeing it expressed in this way?” she said.

5. Protect your accounts with complex passwords and two-factor authentication.

It’s boring, but it’s important, said Viktorya Vilk, director for digital safety and free expression at the nonprofit PEN America, which offers digital safety training to colleges and universities and has created a “what to do” resource for people who have been doxed. “If someone hacks into your Facebook or your email, it’s so hard to get that account back. And it’s also incredibly intrusive and unsettling,” she said. “Having a long, secure password and two-factor authentication makes it almost impossible for someone to be able to hack into your account.”

6. In the event you are doxed: Center yourself, and then secure your physical safety.

“People often have a fight, flight or freeze response. It can be incredibly traumatizing and so very difficult to take steps or use your judgment about what to do when you’re being doxed,” Vilk said. “And so, counterintuitively, the very first thing to do is to take a minute and try to center yourself. For some people that’s taking some deep breaths. For other people, it’s just, like, moving around, wiggling around.”

After that, make sure you’re physically safe, she advised. If your address has been shared, consider staying at a hotel or with friends or family until the storm passes. Consider contacting law enforcement to report the threats, file a police report and let them know you’re at increased risk for swatting—a harassment tactic that involves making a false emergency call in order to dispatch law enforcement to a specific location.

7. Once you are physically safe, document the harassment and lock down your accounts.

Set your social accounts to private mode if they’re not already, and take any steps to limit visibility of your posts, Vilk said. “That’s very easy to switch back after the storm dies down,” she added. Be careful communicating with unfamiliar accounts, emails or phone numbers, and document any threats or harassment you receive. Don’t download attachments or click on links from unknown senders, and do a quick search online to find out more about them before responding.

“Take screenshots when you receive them and then report them to the platform where they’re happening. That can be really stressful, so we really recommend that people recruit friends or family or trusted colleagues to help them do that so that they’re not doing it alone,” Vilk said.

Your cellphone number can also be stolen. “If it starts to circulate online, people will call your cellphone company and pretend to be you and try to reroute traffic,” she said. Protect your number by calling the company and placing a PIN on your account.