What Is Identity Theft? How It Happens and How to Prevent It
Identity theft occurs when someone uses another person's personal information without permission for fraud or other crimes. This article covers types, methods, and prevention.
What Is Identity Theft?
Identity theft occurs when an individual's personal identifying information is obtained and used by another person without authorization, typically to commit fraud or other crimes. Personal information exploited in identity theft commonly includes full legal names, Social Security numbers (in the United States), dates of birth, passport numbers, bank account credentials, credit card numbers, and medical insurance identifiers. Identity theft is a criminal offense in all U.S. states and in most countries worldwide. According to the U.S. Federal Trade Commission (FTC), identity theft has consistently been the most reported category of consumer fraud, with over 1.4 million reports filed in 2023 alone.
Types of Identity Theft
Identity theft manifests in several distinct forms depending on what information is stolen and how it is exploited:
- Financial identity theft: The most common type. The perpetrator uses stolen credentials to open new credit accounts, take out loans, make unauthorized purchases, or drain existing bank accounts.
- Tax identity theft: A fraudulent tax return is filed using the victim's Social Security number to claim a refund before the legitimate taxpayer files.
- Medical identity theft: The perpetrator uses stolen health insurance information to obtain medical care, prescriptions, or equipment. This can corrupt the victim's medical records with inaccurate information.
- Criminal identity theft: An offender provides a victim's name and identification to law enforcement during an arrest or investigation, leaving the victim with a false criminal record.
- Child identity theft: A child's Social Security number is stolen and used to establish fraudulent credit histories. This often goes undetected for years because children do not typically monitor their credit.
- Synthetic identity theft: The perpetrator combines real and fabricated information (e.g., a real Social Security number with a fictitious name and birthdate) to create a new identity used to obtain credit.
How Identity Theft Occurs
Identity thieves use a wide range of methods to obtain personal information, from sophisticated cyberattacks to low-tech physical theft:
| Method | Description | Information Targeted |
|---|---|---|
| Data breaches | Unauthorized access to corporate databases containing customer records | Usernames, passwords, SSNs, payment cards |
| Phishing | Fraudulent emails, texts, or websites impersonating legitimate entities | Login credentials, payment data |
| Malware / spyware | Software installed on victim's device to capture keystrokes or screen contents | Passwords, banking credentials |
| Mail theft | Stealing physical mail containing financial statements or pre-approved offers | Account numbers, SSN |
| Dumpster diving | Retrieving discarded documents with personal information | Account numbers, medical records |
| Account takeover | Credential stuffing using leaked username/password pairs | Email, financial accounts |
| SIM swapping | Social engineering a mobile carrier to transfer phone number to attacker's SIM | Two-factor authentication bypass |
The Role of Data Breaches
Large-scale data breaches — unauthorized disclosures of personal records held by organizations — are among the most significant sources of identity theft. Notable breaches include the 2017 Equifax breach (147 million records exposed, including SSNs and birth dates), the 2021 T-Mobile breach (54 million customer records), and the 2023 MOVEit breach (affecting hundreds of organizations and tens of millions of individuals). Stolen records from data breaches are typically sold on dark web marketplaces, where they are purchased by identity thieves who exploit the information months or years after the initial breach. The proliferation of breached data has created a persistent background environment of risk for individuals whose information has been exposed.
Warning Signs of Identity Theft
- Unexpected bills, collection notices, or account statements for accounts the individual did not open.
- Unexplained charges appearing on existing bank or credit card statements.
- Denial of credit applications due to negative information the individual did not expect.
- Missing expected mail, possibly indicating the postal address has been changed by a fraudster.
- IRS notification that a tax return has already been filed using the individual's SSN.
- Medical Explanation of Benefits statements for services not received.
- Alerts from credit monitoring services about new accounts or hard inquiries.
Prevention Measures
| Measure | Description | Protects Against |
|---|---|---|
| Credit freeze | Restricts access to credit report, preventing new account openings | New account fraud |
| Multi-factor authentication (MFA) | Requires a second verification factor beyond a password | Account takeover |
| Password manager | Generates and stores unique strong passwords for each account | Credential stuffing, phishing |
| Credit monitoring | Alerts to changes in credit report (new accounts, hard inquiries) | Financial identity theft |
| Document shredding | Destroy documents containing personal information before disposal | Dumpster diving |
| Mail monitoring / USPS Informed Delivery | Track expected mail to detect theft or mail forwarding fraud | Mail theft |
Legal Framework and Victim Recourse
In the United States, the primary federal law addressing identity theft is the Identity Theft and Assumption Deterrence Act of 1998, which made identity theft a federal crime punishable by up to 15 years imprisonment and fines. The Fair Credit Reporting Act (FCRA) gives consumers the right to dispute inaccurate information in credit reports caused by identity theft. Victims can place a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion) — which requires lenders to take extra steps before opening new accounts — or implement a credit freeze, which is more comprehensive. The FTC's IdentityTheft.gov platform provides a personalized recovery plan for U.S. victims. The European Union's GDPR establishes data protection obligations that, when enforced, reduce the risk of data breaches contributing to identity theft.
Related Articles
cybersecurity
How Encryption Works: Symmetric, Asymmetric, and the Math Behind Digital Security
A comprehensive explanation of how encryption works — symmetric and asymmetric encryption, the mathematics of public-key cryptography, TLS/HTTPS, end-to-end encryption, and how encryption protects data in the modern digital world.
8 min read
cybersecurity
How Two-Factor Authentication Works: Security, Types, and Why It Matters
A comprehensive guide to two-factor authentication (2FA) — how it works, the different types (SMS, authenticator apps, hardware keys, passkeys), the security tradeoffs between them, and why enabling 2FA is one of the most important security steps anyone can take.
8 min read
cybersecurity
How Zero-Day Exploits Work
An in-depth look at zero-day exploits covering how vulnerabilities are discovered, traded, weaponized, and defended against in cybersecurity.
8 min read
cybersecurity
What Is Malware? Types, Threats, and Protection
Learn what malware is, the major types of malicious software including viruses, worms, ransomware, and trojans, how malware spreads, and how to protect against it.
8 min read