Identity theft occurs when someone uses another person's personal information without authorization to commit fraud or other crimes. Identity thieves obtain personal information such as Social Security numbers, names, addresses, and financial account details, then use this information to open accounts, make purchases, file taxes, or commit crimes in the victim's name. Identity theft can cause financial losses, credit damage, legal complications, and require significant time and effort to resolve. Understanding how identity theft occurs, types of identity fraud, methods used to steal information, protection strategies, and recovery procedures helps individuals protect themselves and respond if victimized. This page provides a technical overview of identity theft, types of fraud, information theft methods, and protection and recovery strategies.
Identity Theft Definition
Identity theft is the unauthorized use of personal information to commit fraud. Key characteristics include:
- Personal Information Misuse: Using someone else's personal information without authorization
- Fraudulent Activity: Using stolen information to commit fraud, including financial fraud, tax fraud, or other crimes
- Victim Harm: Causing financial, credit, legal, or other harm to victims
- Identity Impersonation: Impersonating victims to access accounts, services, or commit crimes
Identity theft can have serious consequences including financial losses, credit damage that affects ability to obtain credit, legal complications if crimes are committed in victim names, and significant time required to resolve issues.
Information Targeted by Identity Thieves
Identity thieves seek various types of personal information:
- Social Security Number: Used as a primary identifier for many financial and government transactions
- Full Name and Date of Birth: Basic identification information used for verification
- Address History: Previous addresses used for account verification questions
- Financial Account Numbers: Bank account numbers, credit card numbers, and other financial identifiers
- Login Credentials: Email passwords, banking passwords, social media passwords that provide account access
- Government ID Numbers: Driver's license numbers, passport numbers used for identification
- Medical Insurance Information: Insurance numbers and medical information used for medical identity theft
- Tax Information: Tax identification numbers and filing information used for tax refund fraud
The more information thieves obtain, the more comprehensive the identity theft can be. Social Security numbers combined with other identifying information are particularly valuable.
Types of Identity Theft
Financial Identity Theft
Financial identity theft involves using personal information for financial fraud:
- Account Opening: Opening credit cards, bank accounts, or loans in victim names
- Unauthorized Purchases: Making purchases using victim credit cards or accounts
- Account Draining: Draining bank accounts or accessing financial resources
- Loan Fraud: Taking out loans using victim identities
Financial identity theft can cause direct financial losses and damage credit scores, affecting victims' ability to obtain credit or loans.
Tax Identity Theft
Tax identity theft involves filing false tax returns using stolen Social Security numbers:
- Fraudulent Returns: Filing false tax returns claiming refunds using victim Social Security numbers
- Refund Theft: Stealing tax refunds that belong to victims
- Detection Delay: Victims typically discover tax identity theft when legitimate returns are rejected
Tax identity theft can delay legitimate tax refunds and require significant effort to resolve with tax authorities.
Medical Identity Theft
Medical identity theft involves using victim identities to obtain medical care:
- Medical Care Access: Obtaining medical care, prescriptions, or procedures using victim identities
- Insurance Fraud: Filing insurance claims using victim insurance information
- Medical Record Corruption: Medical procedures performed under victim identities can corrupt medical records
- Health Risks: Corrupted medical records can create health risks if incorrect information affects future medical care
Medical identity theft can corrupt medical records with incorrect information, potentially affecting future medical care decisions.
Criminal Identity Theft
Criminal identity theft involves providing victim information to law enforcement:
- Identity Provision: Providing victim personal information during arrests or interactions with law enforcement
- Criminal Record Attachment: Criminal records become attached to victim identities rather than actual criminals
- Legal Complications: Victims may face legal complications, warrants, or records from crimes they did not commit
Criminal identity theft can create serious legal complications for victims, including arrest warrants or criminal records for crimes they did not commit.
Synthetic Identity Theft
Synthetic identity theft combines real and fake information to create new identities:
- Identity Combination: Combining real Social Security numbers with fake names or other information
- New Identity Creation: Creating identities that do not fully match real individuals
- Detection Difficulty: More difficult to detect because identities do not fully match real victims initially
Synthetic identity theft can be more difficult to detect because it combines real and fake information, creating identities that may not immediately alert victims.
Child Identity Theft
Child identity theft targets children's Social Security numbers:
- Clean Credit: Children's Social Security numbers have no credit history, making them valuable to thieves
- Undetected Theft: Theft may go undetected for years because children typically do not monitor credit
- Discovery Delay: Victims may discover identity theft years later when attempting to establish credit as adults
Child identity theft can go undetected for extended periods, making it particularly damaging when discovered years later.
How Identity Theft Occurs
Identity thieves obtain personal information through various methods:
Data Breaches
Organizations experience data breaches that expose personal information:
- Organizational Breaches: Companies, government agencies, or organizations experience security breaches
- Mass Data Exposure: Large amounts of personal information exposed in single breaches
- Information Sale: Stolen information sold on underground markets or used for identity theft
Data breaches can expose millions of records simultaneously, making information available to identity thieves on large scales.
Phishing
Phishing attacks trick victims into revealing personal information:
- Deceptive Emails: Fake emails impersonating legitimate organizations requesting information
- Fake Websites: Fake websites designed to capture personal information entered by victims
- Phone Calls: Phone calls impersonating organizations requesting information
Phishing relies on social engineering to convince victims to voluntarily provide personal information.
Mail Theft
Physical mail theft provides access to personal information:
- Mailbox Theft: Stealing mail containing bank statements, tax forms, or financial documents
- Pre-approved Offers: Stealing pre-approved credit card offers that can be used to open accounts
- Check Theft: Stealing checks that contain account information
Dumpster Diving
Searching through trash for documents containing personal information:
- Document Retrieval: Retrieving discarded documents with personal information
- Information Extraction: Extracting account numbers, Social Security numbers, or other identifiers from discarded documents
Dumpster diving can yield significant information if documents are not properly shredded before disposal.
Skimming
Skimming devices capture payment card information:
- ATM Skimming: Devices attached to ATMs that capture card numbers and PINs
- Point-of-Sale Skimming: Devices attached to payment terminals that capture card information
- Card Data Capture: Capturing card numbers, expiration dates, and PINs for unauthorized use
Social Engineering
Social engineering manipulates people into revealing information:
- Manipulation Tactics: Using psychological manipulation to convince victims to provide information
- Pretexting: Creating false scenarios to justify information requests
- Authority Impersonation: Impersonating authority figures to gain trust and information
Malware
Spyware and other malware capture information from devices:
- Keyloggers: Recording keystrokes to capture passwords and other typed information
- Data Theft: Stealing stored passwords, account information, and personal data from infected devices
- Information Exfiltration: Transmitting stolen information to attackers
Warning Signs of Identity Theft
Indicators that may suggest identity theft:
- Unknown Accounts: Unfamiliar accounts appearing on credit reports that were not opened by victims
- Unexpected Bills: Bills for services or accounts that victims did not use or open
- Debt Collection Calls: Calls from debt collectors about debts that victims do not recognize
- Mail Interruption: Mail stops arriving, which may indicate address changes by identity thieves
- Tax Return Rejection: Legitimate tax returns rejected because returns were already filed using victim Social Security numbers
- Medical Bills: Medical bills for treatments or services that victims did not receive
- Unexpected Credit Denials: Credit applications denied unexpectedly, which may indicate credit problems from identity theft
- Authentication Codes: Receiving authentication codes or account verification messages that victims did not request
- Account Statements: Account statements for accounts that victims did not open
- Credit Report Changes: Unexpected changes or accounts on credit reports
Multiple warning signs increase likelihood of identity theft. Early detection allows faster response and limits damage.
Protection Against Identity Theft
Information Security
Secure personal information to prevent theft:
- Document Shredding: Shred documents containing personal information before disposal
- Mail Security: Collect mail promptly and use locked mailboxes when possible
- SSN Protection: Do not carry Social Security cards; memorize numbers instead
- Strong Passwords: Use secure, unique passwords for all accounts. See creating strong passwords for guidance
- Two-Factor Authentication: Enable two-factor authentication on accounts to add protection even if passwords are compromised
- Password Managers: Use password managers to maintain unique passwords for different accounts
Account Monitoring
Monitor accounts and credit for signs of identity theft:
- Credit Report Reviews: Check credit reports regularly from all three major credit bureaus (available free at annualcreditreport.com)
- Bank Statement Reviews: Review bank and credit card statements regularly for unauthorized transactions
- Transaction Alerts: Set up transaction alerts to receive notifications of account activity
- Credit Monitoring: Consider credit monitoring services that alert to credit report changes
- Breach Checking: Check if email addresses have been involved in data breaches using services such as haveibeenpwned.com
Online Security
Practice secure online behavior:
- Social Media Caution: Limit personal information shared on social media that could be used for identity theft
- Phishing Awareness: Be aware of phishing attempts and avoid providing information through suspicious channels
- Secure Networks: Use secure networks for sensitive transactions; avoid public Wi-Fi for banking or other sensitive activities
- Software Updates: Keep devices and software updated to protect against malware that could steal information
- Security Software: Use security software to protect against malware and phishing
Credit Freezes
Credit freezes prevent new accounts from being opened:
- Freeze Availability: Credit freezes are free to place and lift at all three major credit bureaus
- Comprehensive Freezing: Freeze credit at all three bureaus (Equifax, Experian, TransUnion) for complete protection
- Temporary Lifts: Credit freezes can be temporarily lifted when legitimate applications require credit checks
- Account Protection: Freezes prevent new accounts from being opened even if identity thieves have personal information
Credit freezes provide strong protection because they prevent new accounts from being opened, even if identity thieves have sufficient information.
Response to Identity Theft
Immediate Response Steps
If identity theft is suspected or confirmed:
- Place Fraud Alerts: Contact one credit bureau to place fraud alert (they notify others); alerts last 90 days and can be renewed
- Freeze Credit: Freeze credit at all three major credit bureaus to prevent new account opening
- Review Credit Reports: Obtain and review credit reports from all three bureaus to identify fraudulent accounts
- FTC Reporting: File report at identitytheft.gov, which creates recovery plan and provides documentation
- Police Report: File police report with local law enforcement for documentation purposes
Recovery Steps
Recover from identity theft:
- Close Fraudulent Accounts: Contact each company where fraudulent accounts were opened to close them
- Dispute Errors: Dispute fraudulent information with credit bureaus in writing, providing police reports and FTC reports
- Change Passwords: Change passwords for all accounts, especially financial and email accounts
- Check Other Records: Review medical records, employment records, and tax records for fraudulent activity
- Documentation: Keep detailed records of all communications, reports, and correspondence related to identity theft
Long-Term Monitoring
Continue monitoring after initial response:
- Ongoing Credit Monitoring: Continue checking credit reports regularly for new fraudulent activity
- Identity Theft Services: Consider identity theft protection services that provide monitoring and assistance
- Early Tax Filing: File taxes early to prevent tax identity thieves from filing first
- Continued Vigilance: Remain vigilant as identity thieves may attempt to use information again
Identity theft recovery can be time-consuming, but systematic documentation and persistence can resolve most issues. Early detection and response limit damage.
Limitations of Protection
Identity theft protection has limitations:
- Data Breach Exposure: Personal information exposed in data breaches is outside individual control
- Information Availability: Some personal information is publicly available and cannot be fully protected
- Social Engineering: Sophisticated social engineering can bypass technical protections
- Detection Delay: Identity theft may not be detected immediately, allowing damage to accumulate
- Recovery Complexity: Recovery can be complex and time-consuming, requiring coordination with multiple organizations
No protection method is perfect. Defense in depth—combining information security, monitoring, credit freezes, and awareness—provides better protection than relying on any single method.