Identity theft has become one of the greatest worries for Americans. And no wonder. We all know someone (more likely many people) who have been victims of identity theft. Unfortunately, this is a trend that is only getting worse.
Between personal horror stories around the dinner table, and the endless reports of data breaches exposing our personal data to crooks from around the world, you won’t be surprised to hear that identity theft is a rapidly growing problem. And with more people shopping online, there are also more news reports of identity theft risks associated with online payments and shared data.
In this guide, I’ll fill you in on identity theft and identity theft protection. We’ll talk about what’s happening, what you can do to protect yourself, and what to do if you become a victim of identity theft or fraud. It isn’t a pretty picture, but you aren’t completely helpless either.
What is identity theft?
What exactly is identity theft? It is the act of stealing someone’s personal, private, or financial data. A criminal can use this data to impersonate you for the purpose of committing some kind of fraud or crime. They use the data they steal to do things like open multiple credit card accounts in your name. Then they go on a wild spending spree while you get stuck with the bill.
The problem of identity theft has become so pervasive that even the US Department of Justice has been with identity theft cases spanning the globe.
Identity Theft vs Identity Fraud vs Identity Data Exposure
Most of the information you will find about identity theft tends to mash together three separate, but related concepts. Because there are times when they need to be treated differently, we’re going to tease them apart right now.
As we discussed earlier, identity theft is the act of stealing personal, private, or financial data. The data may or may not have been used, but it is in unfriendly hands.
Identity fraud is using someone else’s identity in a fraudulent or deceptive manner, usually for financial gain. Not all victims of identity theft become victims of identity fraud.
Identity data exposure is where identity data is in an insecure state. A good example is when you lose your wallet. Any personal, private, or financial data in your wallet is not secure, since you have no idea who has access to it. By the same token, you don’t know if your data has been stolen or is simply lost. Whatever the reality of the situation, the safe bet is to assume you are a victim of identity theft.
Further confusing things is the fact that the public and most information sources use the term identity theft for the actual theft and for the fraud that it can lead to.
Throughout this article, we will take care to distinguish between these three concepts whenever the distinction is relevant.
Identity theft / identity fraud statistics
Now that we’ve got the concepts clear, let’s look at some identity theft / identity fraud statistics, starting with official stats from the US government.
The Bureau of Justice Statistics (BJS) is part of the United States Department of Justice (DOJ). Their latest report on the subject, titled Victims of Identity Theft, 2018, was published in April of 2021. According to the study, about 9% of people age 16 or over in the US reported being a victim of identity theft within the preceding 12 months. This equates to approximately 23 million people.
This report also illustrates the confusing way the terms identity theft and identity fraud are used. 90% of identity theft victims said the,
most recent incident involved the misuse or attempted misuse of only one type of existing account, such as a credit card or bank account.
In other words, they were actually talking about identity fraud. In fact, the report defines a victim of identity theft as someone age 16 or older who has experienced one or more of the following:
- Misuse of an Existing Account
- Misuse of a New Account
- Misuse of Personal Information
Those are all instances of identity fraud.
So as you look at the statistics that follow, realize that in most cases, the stats will be talking about fraud, regardless of the name they use for it. And since it is certain that there are more cases of actual identity theft than of identity fraud, the statistics are understating the true problem.
With more online shopping, identity theft on the rise
The Federal Trade Commission (FTC) publishes an annual report of identity theft statistics — and last year was a record. According to the FTC’s report, the number of identity theft reports jumped to record highs. For 2020, there were 1,387,615 reports of identity theft, which is a 113% increase over the previous year.
Additionally, there were 2.2 million fraud reports, which includes identity theft, imposter scams, and “online shopping and negative reviews” in 2020.
Identity theft risk varies wildly depending on where you live
While every state in the United States is plagued by identity theft, the likelihood you will be targeted appears to depend on where you live.
Note: The following information is based on the number of incidents reported to the FTC for each state.
- Puerto Rico and Vermont are tied for the lowest reported rate, at 51 incidents per 100,000 citizens.
- Georgia had by far the highest reported rate, with 229 reported incidents per 100,000 residents.
How does identity theft happen?
Thieves use a variety of techniques to steal your identity both online and offline.
Here are some of the most common:
Offline techniques are in many ways old-school identity theft. That is, many of these techniques predate the widespread use of the Internet, and rely on tricks like looking over your shoulder…
A thief will watch or listen to you in a public place in order to learn your credit card number, password, ATM PIN, or other information. Sometimes they will literally look over your shoulder. More frequently, they will watch from a distance, with binoculars or hidden cameras that allow them to get your information at little risk to themselves.
Stealing your discarded mail
If you get “pre-approved” credit card offers in the mail and discard them without cutting up the cards and related information, a thief may retrieve the material from your trash and attempt to open an account in your name. This is often referred to as “dumpster diving,” even though the thief works by going through your personal trash.
Redirecting your mail
Thieves have been known to complete change of address forms for their victims. The result is the postal service sending mail to a new destination, where the thieves look through it for information they can use in identity fraud.
Skimming your cards
This is where someone makes an electronic copy of the information on your credit or debit card while processing a regular transaction. Once they copy your information, they can make transactions on your card. Skimming involves more than just copying the visible information on the card. It requires an electronic device to record the data on the card’s magnetic strip.
While the skimmer can be a handheld device, they are sometimes secretly added to ATMs or other machines that read your card. According to NBC News, the United States Secret Service was finding 20 to 30 skimmers per week at gas pumps around the country. On average, each skimmer device had information for 80 credit cards stored in it. This is an ongoing problem that does not appear to be subsiding.
Theft of your wallet or purse
Identity thieves can also get your information by physically stealing it from you. By taking your wallet or purse a thief gets access to a vast amount of personal and financial information that can be used to commit identity fraud.
Today, online techniques are the most common means of identity theft. After all, a crook can send a sneaky or infected email to thousands of potential victims in seconds, for free. Compare that to sneaking into someone’s yard at midnight to dig through their trash looking for unsolicited credit card offers. For any creep who wants to hit a lot of targets, the online techniques are the way to go.
Here are some of the most common online identity theft techniques:
- Phishing – Phishing attacks involve sending email messages to you in hopes of tricking you into revealing something you shouldn’t, or doing something dangerous. Phishing attacks come in various forms, including spear phishing (an attack aimed at a specific individual) and clone phishing (creating a phony email based on a legitimate one you have probably already received).
- Pharming – Pharming attacks use a hack of your Domain Name Service (DNS) or manipulation of the files on your computer to redirect you to a phony website matching the one you think you are going to. Banking websites are particular targets for pharming. You think you are entering your data into your bank’s website, but instead, the data goes to the identity thief who can use it to log into your account.
- Malware – Thieves may send you email messages or documents that contain malware. This evil software then directly or indirectly gives the thief access to personal or financial data on your computer. It may install a keylogger, which records everything you do on the computer and sends it all to the thief for use in identity fraud.
- Hacking – Hacking attacks take advantage of weaknesses in your computer’s security to steal data. Alternately, they may break into the network your computer is connected to, getting at your data from the inside. This is a particular problem on public WiFi networks, which often have little or no security.
- Phony Profile – A phony profile attack seeks to gain your confidence on social media or dating sites. Once the thief gains your confidence, they will try to trick you into giving them information they can use for identity fraud.
- Searching Old Hardware – When people sell or discard old computers or smartphones they seldom think to securely erase the hard drives and memory. Identity thieves can search this old hardware to find information they can use to impersonate you.
Theft from trusted third parties
Identity thieves don’t even have to target us as individuals to steal our information. All sorts of third parties have copies of some or all of your identity information. From stores where you use your credit card, to your doctor’s office, to the giant credit agencies, to the Social Security Administration, the NSA, and dozens of other government agencies, information about you that can be used for identity theft and fraud is all over the place.
These enormous databases (many contain records on millions of people) are prime targets for identity theft. Here’s yet another recent example with half a billion Facebook users having their data exposed.
As we saw in the Statistics section, billions of records about individuals have been stolen from databases over the years. And billions more will be stolen in the years to come. So even if you personally avoid all the phishing attacks, don’t get tricked by some liar at an online dating service, and never get your wallet or purse stolen, the odds are high that you will be, or already have been, a victim of identity theft if not identity fraud.
Will identity theft hurt your credit score?
Your credit score is a number that credit bureaus (also known as credit reporting agencies) calculate to determine how creditworthy you are. In our modern debt-driven society, your credit score helps determine whether you can buy a house or a car, and get a credit card or increase your credit limit. A low credit score could even keep you from getting hired to certain types of jobs.
So, will identity theft hurt your credit score?
The theft itself probably won’t. Just like you, the credit bureaus probably won’t know you are a victim of identity theft. But don’t celebrate just yet.
Identity theft usually leads to identity fraud which can wreck your credit. Imagine that some creep steals your data and uses it to open 10 new credit cards in your name. The existence of all those new cards will hurt your Credit Score. So will the fact that the creep charges them all to the max and doesn’t pay them when due. Even the flood of credit checks from all the stuff the jerk tries to buy will hurt your Credit Score.
So sooner or later, if you are a victim of identity theft, your credit score will probably take a hit. You simply have to do your best to protect yourself against identity theft, as well as find and fix any related fraud as fast as possible. The rest of this guide will help you do exactly that.
Identity theft protection
Now you have a sense of the incredible range of techniques identity thieves can use to get at your data. The question becomes, “How can you protect yourself?”
There are two approaches to this. One is to pay an identity theft monitoring service to do the job for you. The other is to do it yourself.
Let’s look more closely at each approach.
Identity theft monitoring services
Let’s get one thing straight right away.
These services do not protect against identity theft.
Instead, they monitor information sources like your credit report, court and arrest records, public records, payday loan services, sex offender databases, and so on, to see if your identity information appears. In other words, they try to notify you as soon as possible after you have already suffered identity fraud.
Another major drawback with identity theft monitoring services is that they can be extremely expensive. This is all the more discouraging given that you’re not getting any concrete protection from identity theft itself!
Do it yourself monitoring
While many identity theft monitoring services offer additional services such as monitoring police reports and sex offender databases, the core of their service is monitoring your credit reports. There are three major credit reporting agencies in the United States: Equifax, Experian, and TransUnion. An identity theft monitoring service will look for changes to the reports maintained by these companies that may indicate someone is using your identity fraudulently.
Some of these companies themselves, will also offer “protection” to monitor changes to your credit score.
You can do this too – and it’s free!
You are entitled to a free copy of your credit report from each of these services once a year. If you stagger those requests, you can get a free copy of your credit report every four months.
You could, for example, request one from Equifax in January, Experian in May, and TransUnion in September. That way you would have the whole year covered.
The services can’t monitor your bank accounts
Whatever services they do offer, the services can’t monitor your bank accounts. This is one of the most important steps to take, and it is something you must do yourself. If you make it a habit to regularly check your bank accounts and credit card bills for strange transactions, you will likely spot identity fraud as soon as the identity theft monitoring services would, if not sooner.
How frequently should you check all your accounts and cards? That’s your call. Some people suggest checking every account every day. Others once a week or once a month. I’ve begun checking my accounts every morning. It is a pain, and I haven’t found any issues yet, but it is good to know that I will spot a problem right away if I do get hit.
Are identity theft monitoring services even useful?
Given what we’ve just seen, is there any reason to consider using a service? Maybe.
If you are too busy or can’t be bothered to check your credit reports and monitor your accounts, paying a service to do it for you makes sense. Even though they won’t be checking your bank accounts a service greatly increases your chances of learning about a problem while it is still relatively small.
Things you can do to prevent identity theft
While you can’t really do anything about data breaches at big companies and government agencies (other than limiting the data you share with them), there are lots of things you can do to protect yourself against online and offline identity theft.
Check out this list:
- Never share your passwords. As soon as you share a password with someone else, you greatly increase the risk that some crook will get his or her hands on it. Share a password and the security of that account depends on you both protecting it properly. Do you really trust that other person to not do anything stupid with the password to your bank account?
- Never share PINs or other login credentials. This tip is related to the previous one. Just as you should never share your passwords, you should never share PINs or any other login credentials.
- Use a different password for each site. Passwords are a pain to keep track of. But if you use the same password for every account, you make life easy for an identity thief. You can bet that once a thief has one of your passwords they will try it on every other account of yours they can find.
- Use a password manager to keep track of all your passwords. This recommendation is what makes the previous one practical. A password manager can keep track of all your passwords for you in a safe and secure environment. You secure the manager using one master password. Once you log into the manager you have easy access to all the other passwords. Of course you do need to create a really good master password, one that you will always remember but that a crook won’t guess, and never write it down anywhere. If you can do that, you can use unique passwords for each of your accounts, without somehow having to memorize a giant list of the things. (Tip: I like Bitwarden. It is free, secure, and entirely open source.)
- Use a VPN whenever using public WiFi. Thanks to their generally poor security, public WiFi networks are popular targets for identity thieves. If you use a high-quality VPN whenever you connect to one of these services, your data will be safe even if the WiFi network is compromised. (Tip: Check out our reviews of the best VPN services or the VPN for beginners guide.)
- Never open email from strangers. With the prevalence of phishing attacks and emails carrying infected documents, you should never open email messages from strangers.
- Don’t open unexpected email attachments, even if they come from someone you know. Check with the sender to confirm that the attachment is legitimate before opening it.
- Cut up financial documents before discarding them. You should cut up any unsolicited card offers or copies of old financial statements before discarding them. If those unsolicited cards have big credit limits or you have lots of money to protect, you may want to take this one step further and use a paper shredder to destroy and document containing any personal information before that document reaches a trash can.
- Use a military grade file erasing program. Crooks can recover files from old disk drives even if you have deleted them. It takes a military grade file erasing program like Eraser or BleachBit to make it impossible for someone to recover that information. If you are a wealthy or otherwise believe you might be a target, consider physically destroying any disk drives that you will no longer use. Smashing old disk drives or smartphones with a hammer is the ultimate way to go.
- Contact the Postal Service immediately if bills (or all your mail) stop arriving at your mailbox or you notice any irregularities with your mail delivery.
Use a data removal service
There are new tools coming online to help you remove your personal data from online sources, such as people searches and ‘whitepages’ websites. In addition to taking the steps above, it’s also wise to utilize an personal data removal service. These services basically do the hard work for you, acting on your behalf to remove you personal data from online data brokers.
Here are a few data removal services to consider using today:
- Incogni – A fully-featured data removal service from the makers of Surfshark VPN. Incogni is a powerful and effective service covering a wide range of websites. (See our Incogni review for the test results.)
- Optery – A basic data removal service from a startup in San Francisco. (See the Optery review for more info.)
- Privacy Bee – A comprehensive data removal tool, but also more expensive than some other options. (See our Privacy Bee review for more details.)
- DeleteMe – A full-featured data removal service, but also expensive.
How will you know if you are a victim?
There are two ways to find out you are a victim of identity theft. In the best case, you will find out because someone tells you about it.
We’ve all seen news reports about companies or government agencies getting hacked and their databases compromised. In such cases a warning will go out to everyone whose data was in those databases, warning that their identity information might have been (or definitely was) stolen. With prompt action on your part, you may be able to escape without major expenses or headaches.
In the worst case, you will find out that you are a victim of identity theft when someone commits fraud using your identity. This is when things really get ugly. As we saw earlier, fixing identity theft and fraud can cost you lots of time and money.
What to do if you are a victim of identity theft
Once you know you are a victim of identity theft, you need to take action immediately. But the very first thing to do is to figure out what kind of identity theft you have experienced. Why? Because there are some specialized types of identity theft that call for a specialized response.
What are those specialized types of identity theft?
Specialized types of identity theft and what to do about them
If any of these apply to you, you should go directly to the Federal Trade Commission’s IdentityTheft.gov website and click the Get Started link.
- Tax Identity Theft – You will know that this has happened if you receive a message from the IRS stating that someone used your Social Security number to get a tax refund.
- Child Identity Theft – You will know that this has happened if you start receiving bills, collection agency calls, or other complaints in your minor child’s name.
- Medical Identity Theft – You will know that this has happened if you receive bills for treatments or services you never received.
First steps for most types of identity theft
If you are not dealing with one of the specialized types of identity theft we just discussed, there is a pretty standard process to go through.
NOTE: The steps below are for informational purposes only. If you do find yourself a victim, go to https://www.identitytheft.gov/Steps for the latest, most detailed steps to follow.
- Call the fraud department at the Company or Organization where the fraud occurred. Explain that you are the victim of fraud and ask them to freeze or close the affected accounts. Be aware that in some cases, they won’t freeze or close the accounts until you have filed an FTC identity theft report.
- Change your password, PIN, or any other login information at affected Companies and Organizations.
- Place a Fraud Alert at one of the three Credit Bureaus. That one will notify the rest.
- Go to AnnualCreditReport.com and get free copies of your credit reports.
- Report the problem to the Federal Trade Commission (FTC) using this form.
Repairing the damage
Once you complete the steps above, you are ready to start repairing the damage caused by the fraud. The basic steps to follow now are:
- Close any accounts that were fraudulently opened in your name.
- Get fraudulent charges removed from any of your existing accounts.
- Get the credit bureaus to correct your credit reports.
- Consider activating an Extended Fraud Alert or a Credit Freeze. An extended fraud alert lasts for seven years, and may only be activated by a confirmed fraud victim. It allows businesses to issue new credit if they take steps to verify your identity. A credit freeze lasts until you deactivate it, and does not require you to have been the victim of fraud. While a Credit Freeze is in effect, no one has access to your credit report. This should stop identity thieves from opening new credit in your name.
Conclusion: be vigilant and mitigate risk
Identity theft and the accompanying identity fraud have been problems for many years. But as more and more of our lives have moved online, the problem has grown worse. It is now a problem that hits millions of Americans a year and costs us billions of dollars.
Unfortunately, as businesses collect more private data from people (usually for marketing purposes), this also creates more risk. This trend, coupled with the fact that hackers are getting more sophisticated and data breaches more common, likely means your information will fall into the hands of third parties.
No one can be 100% safe against this scourge. But don’t give up hope.
Common sense, vigilance, and limiting the data available to third parties goes a long way to protecting yourself against identity theft. You can do all that with the advice above and the privacy tools discussed on this website. This is especially important if you use public WiFi connections, which can easily be exploited to snoop and collect your data – a growing cybersecurity trend.
If you do become a victim, there are steps you can take to reduce your losses and recover from the attack as quickly as possible.
I’ve given you the information you need. It’s up to you to take action to remain safe. Good luck!