What is identity theft?
According to the FBI, "identity theft occurs when someone unlawfully obtains another's personal information and uses it to commit theft or fraud." The type of personal information could be anything from general data, like your name or address, to more specific data like hospital records, tax return details, or banking information. Identify theft is sometimes also referred to as identity fraud.
How does identity theft happen?
Identity theft or ID theft takes place in various ways:
Data breaches can be either accidental or intentional:
- An accidental data breach might occur when an organization's employee leaves a work computer—containing personally identifiable information (PII) or a way to access it—in a vulnerable place, allowing someone to steal it.
- An intentional breach typically involves criminals finding a way to access an organization's computer network to steal sensitive data. The criminals might deploy a sophisticated technical attack or simply trick an employee into clicking on a link that creates an attack opening to be exploited.
Regardless of how it happens, a data breach can expose the PII of millions of unwitting victims.
Unsafe social media use:
Social media encourages sharing personal information, but reckless oversharing can endanger your personal safety and financial records. For example, it’s easy to disclose your date of birth, your location, where you went to school, your pet’s name, your phone number, and other personal details on social networks. If cybercriminals are watching, they can use this data to piece together information about you to commit identity fraud.
If you don't regularly change your email password, you’re increasing the risk of being hacked. And if you use the same password for multiple sites, such as banking or shopping sites, hackers could obtain access to all your accounts, then lock you out and go on a spending spree.
Even though a lot of our communication has moved online, interested parties can still find out a great deal about you by going through your trash. Since long before the internet, identity thieves have been combing through the mail to find documents that contain personal information. Bank and credit card statements, pre-approved credit card offers, tax information, and other personal documents sent through the postal system can be intercepted and used to access your data. Always keep financial and other personal documents for at least seven years, and shred all personally identifiable information before throwing it away.
By sticking to well-known websites and websites which have an up-to-date security certificate, you can browse the internet safely. But if you share any information on an unsecured website or a website that hackers have compromised, you could be putting your sensitive information directly in the hands of a thief. Some browsers may alert you if you try to access a risky website.
Dark web marketplaces:
Once your personally identifying information has been stolen, it can often end up on the dark web. Hackers may not necessarily be stealing your information to use it for themselves – often, they choose to sell it to others who have potentially malicious intentions.
The dark web is a hidden network of websites that aren't accessible by normal browsers. People who visit the dark web use special software to mask their identities and activity, making it a haven for fraudsters. If your information ends up on a dark web marketplace, anybody could buy it, putting your identity in more danger.
Phishing and spam attacks:
Phishing is a form of social engineering. Phishing occurs when an attacker masquerades as a trusted entity to dupe a victim into opening an email, text message, or instant message. Users falling for phishing attacks is a common cause of data theft.
If you use your computer or phone on a public Wi-Fi network— perhaps in an airport or coffee shop —hackers may be able to spy on your connection. This means that if you type in a password, bank account or credit card number, Social Security number, or anything else, a criminal could intercept it and use it for their own purposes.
Mobile phone theft:
Smartphones contain a treasure trove of information for identity thieves, especially if your apps allow you to log in automatically without a password or fingerprint. If someone manages to steal and unlock your phone, it could enable them to view the information found in your apps, as well as in your emails, text messages, notes, and more. That's why it is essential to ensure that your phone locks with a secure passcode, biometric screening is set up correctly and that your passwords aren't stored in plain text anywhere on your phone.
Some thieves use a skimming device placed over a card reader on an ATM to skim information from that ATM. The skimming device can steal the data stored on a credit or debit card's magnetic strip and then store or transmit it.
Identity theft statistics
According to the 2021 Identity Fraud Study by Javelin Strategy & Research:
- Identity fraud cost Americans a total of about $56 billion in 2020, with about 49 million consumers falling victim.
- About $13 billion in losses were due to what Javelin calls “traditional identity fraud,” where cybercriminals steal personally identifiable information and use it for their own gains, such as through data breaches.
- But the bulk of the losses, $43 billion, stemmed from identity theft scams where criminals interact directly with consumers to steal their information through methods such as robocalls and phishing emails. Victims of these scams lost $1,100 on average, according to Javelin.
- Because the Covid-19 pandemic changed the way people shopped and transferred money, criminals are increasingly targeting digital wallets and peer-to-peer payment methods such as Apple Pay and Zelle. About 18 million victims in the US fell prey to scams through these digital payment methods in 2020.
Who is stealing your identity?
Identity thieves are a diverse group, and many come from quite unexpected places. Many victims know their attackers – it could be a co-worker, friend, employee, neighbor, or even a family member. Tech-savvy children may see benefits in stealing Mom or Dad's credit card and Amazon login to buy a few items, assuming there's no real ‘victim’ if they eventually come clean and apologize. Work acquaintances may see an opportunity too good to pass up if you leave your computer unlocked or your wallet sitting out.
Petty criminals are getting in on the action since it's possible to download turnkey malware programs for little or no cost. Organized crime gangs using trained computer science graduates are also out looking for large quantities of personal data. These groups are often responsible for significant retail attacks and health care breaches. The sheer volume of this data is worth a great deal on the black market.
What do thieves do with your identity?
There are two timescales at play: immediate use and holding for sale:
- Criminals who want to use your data right now will try everything, all at once. They will try to hack email, smartphones, and retail sites to access bank accounts—all while calling credit card companies to create new user profiles. Although these attacks are short-lived, they can be financially ruinous.
- Other criminals will hold on to your data and either try to sell it or open a single new credit card that they'll use until the limit is reached and you start getting calls from the collection agency. These attacks are harder to detect and can add up to greater losses over time.
Anyone can be a target for identity thieves. If any of your data is online—personal info, credit card data, address, phone number—you are at risk of being compromised. Criminals don't discriminate: the more information you have online, the greater your risk.
How can you protect yourself from identity theft?
So, how to prevent identity theft and protect your identity online? Here are some precautions you can take to avoid a stolen identity:
Keep data to a 'need to know’ basis:
If someone is asking for your personal information – such as your Social Security number, credit card number, passport number, date of birth, work history or credit status, etc. – ask why they need it and how they will use it. What security measures do they have in place to ensure your private information remains private?
Use social media sparingly:
Familiarize yourself with each social networking platform’s security settings and ensure these are set to a level you are comfortable with. Avoid disclosing personal information like your address or date of birth in your social media bios, and be careful about the information you provide to any dating or meet-up sites. Criminals can use this data to build up a picture of you.
Keep your computer up to date:
Many hackers use malware to steal your information. Keeping your computer up to date with security patches and antivirus software helps protect against existing vulnerabilities and detect new attacks.
To limit the chance of a malware infection, avoid opening unknown email attachments or browsing suspicious websites.
Destroy private records and statements:
Shred credit card and bank statements and other documents that contain private financial or sensitive information. Minimize your paper trail by not leaving ATM, credit card, or gas station receipts behind when you’re out and about.
Secure your mail:
Empty your mailbox quickly, lock it or get a PO box, so criminals don't have a chance to steal sensitive mail.
Safeguard your Social Security number:
In the US, your Social Security number is the master key to your personal data. Guard it as best you can. When asked for your number, ask why it is needed and how it will be protected. Don't carry your card with you. Securely store or shred paperwork containing your Social Security number.
Never let your credit card out of your sight:
Always keep an eye on your credit or bank card, and don’t let retailers or others take it out of your sight. Also, be vigilant for card skimming devices at ATMs.
Review your credit cards statements carefully:
Read financial statements. Make sure you recognize every transaction. Know due dates and call to investigate if you do not receive an expected bill. Review ‘explanation of benefits’ statements to make sure you recognize the services provided to guard against health care fraud.
Ensure that you only ever log into banking websites using a secure connection. Don't save your credit card information online.
Know who you’re dealing with:
If someone contacts you requesting your personal or financial information, find out who they are, what company or organization they represent, and the reason for their call. If you think the request is legitimate, contact the company yourself and confirm what you were told before disclosing any of your personal data.
Remove your name from marketing lists:
Unsubscribe yourself from unwanted marketing lists. In the US, you can also add yourself to the national Do-Not-Call registry (1-888-382-1222).
Monitor your credit report:
Obtain and thoroughly review your credit report at least once a year to check for suspicious activity. If you find something, alert your card company or the creditor immediately. You may also investigate credit protection services, which alert you any time a change takes place with your credit report.
What to do if your identity is stolen
Identity fraud is on the rise and can cause significant damage, yet many people aren't sure what to do when they become a victim of this crime. Follow this step-by-step guide on what to do if your identity is stolen:
Discover the source:
Before you can correct the problem and get identity theft help, it's important to know the attack's origin. While traditional identity theft involved criminals ‘dumpster diving’ to obtain personal information such as receipts or credit card bills, thieves increasingly target popular online services. Banking websites, online retailers, and dating sites hold a wealth of consumer information.
Many signs can indicate you may have been a victim of identity theft, e.g., if new credit accounts have been opened in your name, purchases have been made without your consent, or your contact information with government agencies has been altered. As soon as you realize you've been victimized, think about your recent online activity:
- Did you respond to any emails that appeared to be from financial institutions claiming that your account was suspended or under review?
- Did you download any video players or media files as attachments from senders you didn't know?
- Have any e-commerce sites you regularly use recently sustained a cyberattack?
Any one of these could create a vulnerability to hacking.
Notify affected creditors or banks:
Once you've discovered the theft, start making calls. Begin with any companies where the fraud occurred, such as your credit card issuer or bank. Ask them to close or freeze your accounts and change all your login and password information.
Most credit cards have zero-liability policies and other protections for cardholders affected by identity theft. In the US, victims of credit card fraud are also protected under the Fair Credit Billing Act, which specifies that the maximum liability for unauthorized charges is just $50. On the other hand, ATM or debit cards and electronic transfers from your bank account fall under the Electronic Fund Transfer Act. Under the terms of this law, consumers must act quickly.
Reporting a lost or stolen ATM or debit card before any fraudulent transactions will ensure you are not responsible for any changes made after that. This means it is in your best interest to report suspicious activity as soon as possible. Once you have filed an identity theft report and a police report, you should share them with your creditor as well.
Place a fraud alert on your credit report:
Fraud can negatively impact your credit score — leaving long-lasting effects — which means protecting your credit from further damage should be high on the list of priorities if you’re affected. Contact one of the main credit bureaus, which in the US are:
Ask for a credit report and have a fraud alert placed on your accounts for 90 days. Once you have contacted one of these agencies, they are obligated to inform the other two.
Fraud alerts are free and, once placed, remain on your report for one year. If you want to keep the alert longer, you can get a new one after the first year. An alert makes it difficult for fraudsters to open accounts in your name since businesses must contact you before issuing any credit when a fraud alert is on your report.
If you are a victim of identity theft, you can place an extended fraud alert on your report, lasting seven years. Before placing the extended alert in the US, you need to complete an Identity Theft Report.
Review your credit reports:
Once you have set up a fraud alert on your credit file, you will automatically receive access to one free credit report from each of the three agencies.
Read through each of your reports for signs of identity theft — for example, new accounts you didn’t open, payment history or inquiries you don’t recognize, an employer you never worked for, and any personal information which is unfamiliar.
It is also advisable to review each of your credit reports again at least once over the next year to check for any continued signs of identity theft.
Freeze your credit:
Freezing your credit is free and prevents credit reporting agencies from releasing your credit report to new creditors. Contact the main credit bureaus and request it.
For the most robust defense against identity fraud, experts recommend placing both a fraud alert and credit freeze on your report. There is no time limit to a freeze; it will remain until you decide to lift it, which you may do temporarily or permanently.
When you place the freeze on your report, the bureaus will issue a PIN or password, which you will need when you decide to lift the freeze. Losing track of your PIN may delay or hinder your ability to unfreeze your credit, so keep it in a safe place while the freeze is active.
How do I report identity theft?
Different jurisdictions worldwide will have their own agencies to whom you can report identity theft and receive assistance with identity theft recovery. For example:
- In the United States: report your identity theft to the FTC by completing the online form at IdentityTheft.gov or by calling 877-438-4338, providing as many details as possible. Reporting the theft to the FTC will ensure you receive a recovery plan and an Identity Theft Report, proving that your identity has been stolen.
- In the UK, you can contact Action Fraud on 0300 123 2040 or at the Action Fraud website.
- In Australia, you can report identity fraud to Scam Watch.
Contact the police:
You may also want to alert your local police department. If you do contact the police, take a copy of your Identity Theft Report, a government-issued photo ID, proof of your current address, and any proof that your identity has been used for identity theft — such as collections notices. Remember to ask for a copy of the police report in case you need it. Make a note of your police investigator’s phone number for future reference.
Remove fraudulent info from your credit report:
Once you have reviewed your credit report, contact each of the leading credit bureaus to have any fraudulent information you find removed. In the US, you can use this sample letter suggested by the FTC as a template.
Along with the letter, include a copy of your Identity Theft Report and identifying information, along with details about which information is fraudulent. This allows you to remove, or block, the information from your report so it won’t appear and you won’t be contacted to pay any of the debts. Continue to keep a close eye on your credit report in case any additional fraudulent accounts are subsequently added.
Change all affected account passwords:
Change all your passwords on any account that was affected by fraud. If one of your existing accounts doesn’t have a password, now is the time to create a strong password. A strong password is at least 12 characters or longer and comprises a mix of upper- and lower-case letters plus symbols and numbers. The shorter and less complex your password is, the easier it is for cybercriminals to crack. You should avoid choosing something obvious – such as sequential numbers (“1234”) or personal information that someone who knows you might guess, such as your date of birth or a pet’s name.
To make your passwords more complex, you could consider creating a 'passphrase' instead. Passphrases involve picking a meaningful phrase that is easy to remember and then making the first letter of every word the password.
Avoid using the same password for multiple accounts and never write passwords down. If you have too many passwords to remember, consider using a password manager to help you keep track. Remember to change your passwords regularly – every six months or so.
Contact your telephone and utility companies:
It’s a good idea to contact your utility providers and telephone carriers if an identity thief tries to open a new account in your name, using a utility bill as proof of residence. If an account was opened in your name, explain what happened to the service provider and ask for the account to be closed.
Protect yourself with antivirus:
While this may sound overwhelming, it pays to know what to do if your identity is stolen. The tips above can help mitigate the damage and help you get your life back on track. You can maximize your online safety by using a comprehensive antivirus. Kaspersky Total Security works 24/7 to protect your devices and data, blocking common and complex threats like viruses, malware, ransomware, spy apps, and all the latest hacker tricks.