Identity theft has become one of the greatest worries for Americans. And no wonder. We all know someone (more likely many people) who have been victims of identity theft. Unfortunately, this is a trend that is only getting worse.
Between personal horror stories around the dinner table, and the endless reports of data breaches exposing our personal data to crooks from around the world, you won’t be surprised to hear that identity theft is a rapidly growing problem in the USA and around the world.
In this guide, I’ll fill you in on identity theft in 2019. We’ll talk about what’s happening, what you can do to protect yourself, and what to do if you become a victim of identity theft or fraud. It isn’t a pretty picture, but we aren’t completely helpless either.
What is identity theft?
What exactly is identity theft? It is the act of stealing someone’s personal, private, or financial data. A criminal can use this data to impersonate you for the purpose of committing some kind of fraud or crime. They use the data they steal to do things like open multiple credit card accounts in your name. Then they go on a wild spending spree while you get stuck with the bill.
The problem of identity theft has become so pervasive that even the US Department of Justice has been sounding the alarm.
Identity Theft vs Identity Fraud vs Identity Data Exposure
Most of the information you will find about identity theft tends to mash together three separate, but related concepts. Because there are times when they need to be treated differently, we’re going to tease them apart right now.
As we discussed earlier, identity theft is the act of stealing personal, private, or financial data. The data may or may not have been used, but it is in unfriendly hands.
Identity fraud is using someone else’s identity in a fraudulent or deceptive manner, usually for financial gain. Not all victims of identity theft become victims of identity fraud.
Identity data exposure is where identity data is in an insecure state. A good example is when you lose your wallet. Any personal, private, or financial data in your wallet is not secure, since you have no idea who has access to it. By the same token, you don’t know if your data has been stolen or is simply lost. Whatever the reality of the situation, the safe bet is to assume you are a victim of identity theft.
Further confusing things is the fact that the public and most information sources use the term identity theft for the actual theft and for the fraud that it can lead to.
Throughout this article, we will take care to distinguish between these three concepts whenever the distinction is relevant.
The latest identity theft / identity fraud statistics
Now that we’ve got the concepts clear, let’s look at some identity theft / identity fraud statistics, starting with official stats from the US government.
The Bureau of Justice Statistics (BJS) is part of the United States Department of Justice (DOJ). Their latest report on the subject, titled Victims of Identity Theft, 2016, was published in January of 2019. According to the study, about 10% of people age 16 or over reported being a victim of identity theft within the preceding 12 months. This is up from 7% in the 2014 report.
This report also illustrates the confusing way the terms identity theft and identity fraud are used. 85% of identity theft victims said the,
most recent incident involved the misuse or attempted misuse of only one type of existing account, such as a credit card or bank account.
In other words, they were actually talking about identity fraud. In fact, the report defines a victim of identity theft as someone age 16 or older who has experienced one or more of the following:
- Misuse of an Existing Account
- Misuse of a New Account
- Misuse of Personal Information
Those are all instances of identity fraud.
So as you look at the statistics that follow, realize that in most cases, the stats will be talking about fraud, regardless of the name they use for it. And since it is certain that there are more cases of actual identity theft than of identity fraud, the statistics are understating the true problem.
Here are some of the most recent identity theft / identity fraud statistics available right now:
- An estimated twelve percent (12%) of victims in 2016 had out-of-pocket losses of more than one dollar ($1.00).
- More than half (55%) of the victims in 2016 who were able to resolve financial or credit problems related to the fraud were able to do so in one day.
- In 2018, crooks took over approximately 680,000 mobile phone accounts, allowing them to intercept the one-time passwords often used when verifying accounts as well as the alerts that banks and other businesses send to notify you that someone has accessed your account. This appears to be a major new problem area, as in 2017, there were only around 380,000 mobile phone account takeovers.
- According to SafeSmartLiving.com, in 2017, an identity theft occurred once every 2 seconds.
- According to ConsumerAffairs, Formjacking attacks (where hackers compromise the data entry forms on websites to steal personal data) were up by 117% in 2018.
- The Federal Trade Commission’s “Consumer Sentinel Network Data Book 2018” reports that all types of identity theft against deployed members of the US military were up sharply that year.
- The FTC also reported that identity theft using social media was up 23% in 2018, compared to 2017.
- According to information gathered by Dashlane, the top 20 data breaches of 2018 alone exposed more than 2 billion records containing personal data that could be used for Identity Theft.
- According to Statista, 65% of data breaches in the first half of 2018 were classified as identity theft. If that percentage held true for the entire year, it indicates more than one billion (1,000,000,000) identity thefts by data breach just in 2018.
Fraud rates down but costs up
According to this March 6, 2019 press release from Javelin Strategy & Research, 14.4 million consumers were victims of fraud in 2018, a drop from 16.7 million in 2017. However, the costs of the fraud were much higher for the victims, with the out-of-pocket costs running $1.7 billion.
This was more than double the out-of-pocket costs incurred in 2017.
The bad guys are changing their targets
The same Press Release from Javelin indicates that the bad guys are targeting fewer people and concentrating their efforts on higher-value targets. They are taking over existing accounts and opening new accounts using stolen credentials, as well as targeting mortgages, auto loans, and other targets that they mostly ignored in the past.
Seniors lose the most from identity fraud
While all age groups (including children) are targets for identity theft and fraud, senior citizens suffer the most. According to ConsumerAffairs, while younger people are affected more frequently, the median loss for seniors is much greater.
Here are some numbers from 2017 as published by the US Federal Trade Commission (FTC):
|Age Range||% of People Report a Fraud Loss||Median Amount Lost|
|19 and under||29%||$262|
|20 to 29||29%||$400|
|30 to 39||32%||$380|
|40 to 49||28%||$440
|50 to 59||25%||$500|
|60 to 69||20%||$500|
|70 to 79||18%||$621|
|80 and over||18%||$1092|
As if these numbers weren’t bad enough, ConsumerAffairs reports that in 2018 the numbers stayed the same or increased for every age group, with the losses for people 80 and over skyrocketing to over $1600 per incident.
Identity theft risk varies wildly depending on where you live
While every state in the United States is plagued by identity theft, the likelihood you will be targeted appears to depend on where you live.
Note: The following information is based on the number of incidents reported to the FTC for each state.
- Puerto Rico and Vermont are tied for the lowest reported rate, at 51 incidents per 100,000 citizens.
- Georgia had by far the highest reported rate, with 229 reported incidents per 100,000 residents.
How does identity theft happen?
Thieves use a variety of techniques to steal your identity both online and offline.
Here are some of the most common:
Offline techniques are in many ways old-school identity theft. That is, many of these techniques predate the widespread use of the Internet, and rely on tricks like looking over your shoulder…
A thief will watch or listen to you in a public place in order to learn your credit card number, password, ATM PIN, or other information. Sometimes they will literally look over your shoulder. More frequently, they will watch from a distance, with binoculars or hidden cameras that allow them to get your information at little risk to themselves.
Stealing your discarded mail
If you get “pre-approved” credit card offers in the mail and discard them without cutting up the cards and related information, a thief may retrieve the material from your trash and attempt to open an account in your name. This is often referred to as “dumpster diving,” even though the thief works by going through your personal trash.
Redirecting your mail
Thieves have been known to complete change of address forms for their victims. The result is the postal service sending mail to a new destination, where the thieves look through it for information they can use in identity fraud.
Skimming your cards
This is where someone makes an electronic copy of the information on your credit or debit card while processing a regular transaction. Once they copy your information, they can make transactions on your card. Skimming involves more than just copying the visible information on the card. It requires an electronic device to record the data on the card’s magnetic strip.
While the skimmer can be a handheld device, they are sometimes secretly added to ATMs or other machines that read your card. According to NBC News, by the end of 2018, the United States Secret Service was finding 20 to 30 skimmers per week at gas pumps around the country. On average, each skimmer device had information for 80 credit cards stored in it.
Theft of your wallet or purse
Identity thieves can also get your information by physically stealing it from you. By taking your wallet or purse a thief gets access to a vast amount of personal and financial information that can be used to commit identity fraud.
Today, online techniques are the most common means of identity theft. After all, a crook can send a sneaky or infected email to thousands of potential victims in seconds, for free. Compare that to sneaking into someone’s yard at midnight to dig through their trash looking for unsolicited credit card offers. For any creep who wants to hit a lot of targets, the online techniques are the way to go.
Here are some of the most common online identity theft techniques:
- Phishing – Phishing attacks involve sending email messages to you in hopes of tricking you into revealing something you shouldn’t, or doing something dangerous. Phishing attacks come in various forms, including spear phishing (an attack aimed at a specific individual) and clone phishing (creating a phony email based on a legitimate one you have probably already received).
- Pharming – Pharming attacks use a hack of your Domain Name Service (DNS) or manipulation of the files on your computer to redirect you to a phony website matching the one you think you are going to. Banking websites are particular targets for pharming. You think you are entering your data into your bank’s website, but instead, the data goes to the identity thief who can use it to log into your account.
- Malware – Thieves may send you email messages or documents that contain malware. This evil software then directly or indirectly gives the thief access to personal or financial data on your computer. It may install a keylogger, which records everything you do on the computer and sends it all to the thief for use in identity fraud.
- Hacking – Hacking attacks take advantage of weaknesses in your computer’s security to steal data. Alternately, they may break into the network your computer is connected to, getting at your data from the inside. This is a particular problem on public WiFi networks, which often have little or no security.
- Phony Profile – A phony profile attack seeks to gain your confidence on social media or dating sites. Once the thief gains your confidence, they will try to trick you into giving them information they can use for identity fraud.
- Searching Old Hardware – When people sell or discard old computers or smartphones they seldom think to securely erase the hard drives and memory. Identity thieves can search this old hardware to find information they can use to impersonate you.
Theft from trusted third parties
Identity thieves don’t even have to target us as individuals to steal our information. All sorts of third parties have copies of some or all of your identity information. From stores where you use your credit card, to your doctor’s office, to the giant credit agencies, to the Social Security Administration, the NSA, and dozens of other government agencies, information about you that can be used for identity theft and fraud is all over the place.
These enormous databases (many contain records on millions of people) are prime targets for identity theft. Here’s yet another recent example:
As we saw in the Statistics section, billions of records about individuals have been stolen from databases over the years. And billions more will be stolen in the years to come. So even if you personally avoid all the phishing attacks, don’t get tricked by some liar at an online dating service, and never get your wallet or purse stolen, the odds are high that you will be, or already have been, a victim of identity theft if not identity fraud.
Will identity theft hurt your credit score?
Your credit score is a number that credit bureaus (also known as credit reporting agencies) calculate to determine how creditworthy you are. In our modern debt-driven society, your credit score helps determine whether you can buy a house or a car, and get a credit card or increase your credit limit. A low credit score could even keep you from getting hired to certain types of jobs.
So, will identity theft hurt your credit score?
The theft itself probably won’t. Just like you, the credit bureaus probably won’t know you are a victim of identity theft. But don’t celebrate just yet.
Identity theft usually leads to identity fraud which can wreck your credit. Imagine that some creep steals your data and uses it to open 10 new credit cards in your name. The existence of all those new cards will hurt your Credit Score. So will the fact that the creep charges them all to the max and doesn’t pay them when due. Even the flood of credit checks from all the stuff the jerk tries to buy will hurt your Credit Score.
So sooner or later, if you are a victim of identity theft, your credit score will probably take a hit. You simply have to do your best to protect yourself against identity theft, as well as find and fix any related fraud as fast as possible. The rest of this guide will help you do exactly that.
Identity theft protection
Now you have a sense of the incredible range of techniques identity thieves can use to get at your data. The question becomes, “How can you protect yourself?”
There are two approaches to this. One is to pay an identity theft monitoring service to do the job for you. The other is to do it yourself.
Let’s look more closely at each approach.
Identity theft monitoring services
Let’s get one thing straight right away.
These services do not protect against identity theft.
Instead, they monitor information sources like your credit report, court and arrest records, public records, payday loan services, sex offender databases, and so on, to see if your identity information appears. In other words, they try to notify you as soon as possible after you have already suffered identity fraud.
Another major drawback with identity theft monitoring services is that they can be extremely expensive. This is all the more discouraging given that you’re not getting any concrete protection from identity theft itself!
Do it yourself monitoring
While many identity theft monitoring services offer additional services such as monitoring police reports and sex offender databases, the core of their service is monitoring your credit reports. There are three major credit reporting agencies in the United States: Equifax, Experian, and TransUnion. An identity theft monitoring service will look for changes to the reports maintained by these companies that may indicate someone is using your identity fraudulently.
Some of these companies themselves, will also offer “protection” to monitor changes to your credit score.
You can do this too – and it’s free!
You are entitled to a free copy of your credit report from each of these services once a year. If you stagger those requests, you can get a free copy of your credit report every four months.
You could, for example, request one from Equifax in January, Experian in May, and TransUnion in September. That way you would have the whole year covered.
The services can’t monitor your bank accounts
Whatever services they do offer, the services can’t monitor your bank accounts. This is one of the most important steps to take, and it is something you must do yourself. If you make it a habit to regularly check your bank accounts and credit card bills for strange transactions, you will likely spot identity fraud as soon as the identity theft monitoring services would, if not sooner.
How frequently should you check all your accounts and cards? That’s your call. Some people suggest checking every account every day. Others once a week or once a month. I’ve begun checking my accounts every morning. It is a pain, and I haven’t found any issues yet, but it is good to know that I will spot a problem right away if I do get hit.
Are identity theft monitoring services even useful?
Given what we’ve just seen, is there any reason to consider using a service? Maybe.
If you are too busy or can’t be bothered to check your credit reports and monitor your accounts, paying a service to do it for you makes sense. Even though they won’t be checking your bank accounts a service greatly increases your chances of learning about a problem while it is still relatively small.
Things you can do to prevent identity theft
While you can’t really do anything about data breaches at big companies and government agencies (other than limiting the data you share with them), there are lots of things you can do to protect yourself against online and offline identity theft.
Check out this list:
- Never share your passwords. As soon as you share a password with someone else, you greatly increase the risk that some crook will get his or her hands on it. Share a password and the security of that account depends on you both protecting it properly. Do you really trust that other person to not do anything stupid with the password to your bank account?
- Never share PINs or other login credentials. This tip is related to the previous one. Just as you should never share your passwords, you should never share PINs or any other login credentials.
- Use a different password for each site. Passwords are a pain to keep track of. But if you use the same password for every account, you make life easy for an identity thief. You can bet that once a thief has one of your passwords they will try it on every other account of yours they can find.
- Use a password manager to keep track of all your passwords. This recommendation is what makes the previous one practical. A password manager can keep track of all your passwords for you in a safe and secure environment. You secure the manager using one master password. Once you log into the manager you have easy access to all the other passwords. Of course you do need to create a really good master password, one that you will always remember but that a crook won’t guess, and never write it down anywhere. If you can do that, you can use unique passwords for each of your accounts, without somehow having to memorize a giant list of the things. (Tip: I like Bitwarden. It is free, secure, and entirely open source.)
- Use a VPN whenever using public WiFi. Thanks to their generally poor security, public WiFi networks are popular targets for identity thieves. If you use a high-quality VPN whenever you connect to one of these services, your data will be safe even if the WiFi network is compromised. (Tip: Check out our reviews of the best VPN services or the VPN for beginners guide.)
- Never open email from strangers. With the prevalence of phishing attacks and emails carrying infected documents, you should never open email messages from strangers.
- Don’t open unexpected email attachments, even if they come from someone you know. Check with the sender to confirm that the attachment is legitimate before opening it.
- Cut up financial documents before discarding them. You should cut up any unsolicited card offers or copies of old financial statements before discarding them. If those unsolicited cards have big credit limits or you have lots of money to protect, you may want to take this one step further and use a paper shredder to destroy and document containing any personal information before that document reaches a trash can.
- Use a military grade file erasing program. Crooks can recover files from old disk drives even if you have deleted them. It takes a military grade file erasing program like Eraser or BleachBit to make it impossible for someone to recover that information. If you are a wealthy or otherwise believe you might be a target, consider physically destroying any disk drives that you will no longer use. Smashing old disk drives or smartphones with a hammer is the ultimate way to go.
- Contact the Postal Service immediately if bills (or all your mail) stop arriving at your mailbox or you notice any irregularities with your mail delivery.
How will you know if you are a victim?
There are two ways to find out you are a victim of identity theft. In the best case, you will find out because someone tells you about it.
We’ve all seen news reports about companies or government agencies getting hacked and their databases compromised. In such cases a warning will go out to everyone whose data was in those databases, warning that their identity information might have been (or definitely was) stolen. With prompt action on your part, you may be able to escape without major expenses or headaches.
In the worst case, you will find out that you are a victim of identity theft when someone commits fraud using your identity. This is when things really get ugly. As we saw earlier, fixing identity theft and fraud can cost you lots of time and money.
What to do if you are a victim of identity theft
Once you know you are a victim of identity theft, you need to take action immediately. But the very first thing to do is to figure out what kind of identity theft you have experienced. Why? Because there are some specialized types of identity theft that call for a specialized response.
What are those specialized types of identity theft?
Specialized types of identity theft and what to do about them
If any of these apply to you, you should go directly to the Federal Trade Commission’s IdentityTheft.gov website and click the Get Started link.
- Tax Identity Theft – You will know that this has happened if you receive a message from the IRS stating that someone used your Social Security number to get a tax refund.
- Child Identity Theft – You will know that this has happened if you start receiving bills, collection agency calls, or other complaints in your minor child’s name.
- Medical Identity Theft – You will know that this has happened if you receive bills for treatments or services you never received.
First steps for most types of identity theft
If you are not dealing with one of the specialized types of identity theft we just discussed, there is a pretty standard process to go through.
NOTE: The steps below are for informational purposes only. If you do find yourself a victim, go to https://www.identitytheft.gov/Steps for the latest, most detailed steps to follow.
- Call the fraud department at the Company or Organization where the fraud occurred. Explain that you are the victim of fraud and ask them to freeze or close the affected accounts. Be aware that in some cases, they won’t freeze or close the accounts until you have filed an FTC identity theft report.
- Change your password, PIN, or any other login information at affected Companies and Organizations.
- Place a Fraud Alert at one of the three Credit Bureaus. That one will notify the rest.
- Go to AnnualCreditReport.com and get free copies of your credit reports.
- Report the problem to the Federal Trade Commission (FTC) using this form.
Repairing the damage
Once you complete the steps above, you are ready to start repairing the damage caused by the fraud. The basic steps to follow now are:
- Close any accounts that were fraudulently opened in your name.
- Get fraudulent charges removed from any of your existing accounts.
- Get the credit bureaus to correct your credit reports.
- Consider activating an Extended Fraud Alert or a Credit Freeze. An extended fraud alert lasts for seven years, and may only be activated by a confirmed fraud victim. It allows businesses to issue new credit if they take steps to verify your identity. A credit freeze lasts until you deactivate it, and does not require you to have been the victim of fraud. While a Credit Freeze is in effect, no one has access to your credit report. This should stop identity thieves from opening new credit in your name.
Conclusion: be vigilant and mitigate risk
Identity theft and the accompanying identity fraud have been problems for many years. But as more and more of our lives have moved online, the problem has grown worse. It is now a problem that hits millions of Americans a year and costs us billions of dollars.
Unfortunately, as businesses collect more private data from people (usually for marketing purposes), this also creates more risk. This trend, coupled with the fact that hackers are getting more sophisticated and data breaches more common, likely means your information will fall into the hands of third parties.
No one can be 100% safe against this scourge. But don’t give up hope.
Common sense, vigilance, and limiting the data available to third parties goes a long way to protecting yourself against identity theft. You can do all that with the advice above and the privacy tools discussed on this website. This is especially important if you use public WiFi connections, which can easily be exploited to snoop and collect your data – a growing cybersecurity trend.
If you do become a victim, there are steps you can take to reduce your losses and recover from the attack as quickly as possible.
I’ve given you the information you need. It’s up to you to take action to remain safe. Good luck!