Everything You Need to Know About Identity Theft

What is identity theft?

Identity theft is the deliberate criminal use of personally identifiable information (PII) obtained without the victim’s consent or legal cause. The crime consists of two major elements — the information must be obtained illegally (such as by data theft), and it must be used to impersonate the victim for a criminal purpose.

There is a lot of confusion in popular culture about identity theft and identity fraud, to the point where the two terms are used synonymously. However, they are actually separate crimes. Identity fraud is the criminal use of PII in conjunction with an existing account. This information need not be obtained illegally (for example, if the criminal manages the owner’s data).

How identity theft can impact your life

Identity theft and identity fraud can bring victims’ lives to a complete stop. Unlike crimes that target one victim or a group directly, identity theft involves innocent tertiary victims — the person or institution that was targeted using your PII. This makes investigating incidents, determining blame, and undoing damage from identity theft attacks very difficult.

The consequences of identity theft include, but are not limited to:

• Ruined credit score, resulting in declined loans and credit cards

• Criminal investigations, possibly resulting in your arrest and interrogation

• Tarnished reputation, even if your name is cleared eventually

• Difficulty in passing job interviews and background checks until your name is cleared

• Stolen tax refunds if the identity thieves file returns in your name

• Direct financial loss if the criminals get access to your bank account

• Compromised medical history, resulting in misdiagnosis and ineffective treatment

• Compromised online accounts, leading to further attacks against you in the future

• Psychological damage and stress from dealing with the fallout of identity theft

Is someone using my identity?

In the modern era, the proliferation of cheap travel, online shopping, and bad internet habits (like password sharing among friends) has made identity theft difficult to detect. Nevertheless, there are some common identity theft red flags that you should be aware of.

Bank alerts. The law requires financial institutions like banks to implement rigorous anti-fraud measures to protect their customers. If they detect unusual behavior — for example, if your credit card is suddenly used in another country or a purchase is made on a suspicious website — they will immediately stop the transaction, flag your account, and contact you to confirm the details.

Surprise mail. Your registered home address is also an important part of your identity. If you regularly get letters addressed to someone else from financial institutions or law enforcement, someone could be trying to give the authorities the slip using your address. This also applies to unexpected mail addressed to you — if someone is trying to use your identity for a fraudulent tax refund, the government will send the tax transcript to your house.

Unfamiliar debts. One of the most common ways that criminals abuse stolen identities is to open up new accounts with financial institutions, max them out, and bail. If a debt collection agency or a bank contacts you about an unfamiliar debt, there’s a very real chance that your identity was used in a scam.

Credit score changes. Variations in your credit score rating reflect financial transactions in your name: spikes show that someone is trying to extend credit, while dips may indicate loan applications. A bad credit score can result in your credit card or loan applications being rejected — if that happens, make sure to check your credit report thoroughly.

What should I do if I’m a victim of identity theft?

Step 1: Contact affected institutions

Identity thieves won’t stop just because you contact the police. To prevent any further damage, you need to contact all organizations that have been (or you believe could be) deceived by the criminals and explain the situation. They will be able to freeze your accounts, block compromised credit cards, and start investigating suspicious activities.

Step 2: Place a fraud alert

Fraud alerts make it more difficult for you (or anyone using your identity) to open up new accounts or request credit. To request a one-year fraud alert, you need to contact one of the three credit reporting agencies — Equifax, Experian, or TransUnion. When at least one agency has been notified, it will contact the other two on your behalf.

Step 3: Report the fraud

Once you’re out of immediate danger, you need to report the identity theft to the authorities. Each country has its own institutions for dealing with identity theft — for example, in the United States, you need to contact the FTC for identity theft cases. These institutions will help you stop further fraud and undo the damage. Once you’ve notified the institution in your country, you can file a separate report with the local police to begin a criminal investigation.

Step 4: Secure your accounts

You don’t know how deep the roots of deception go. To prevent identity thieves from simply waltzing back into your life once this crisis is over, you need to make sure your accounts are secure. First, contact every institution deceived by the identity thieves and cancel all fraudulent accounts. Then, protect all the accounts you have with new complex passwords to prevent future attacks.

Step 5: Review information

You’ve done all you could to staunch the blood flow — now it’s time to assess the damage. You can get a free credit report from Equifax, Experian, and TransUnion once a year to review any fraudulent activity. If you suspect the identity thieves have deceived an organization, you may ask it for copies of any account, loan, debt, or other applications in your name. This information will help you determine the extent of the crime, uncover other instances of fraud, and greatly aid any ongoing investigations.

Facts: How identity theft happens

To better protect yourself against identity theft, it’s important to understand how it happens. Let’s examine the most common ways that criminals can obtain your PII for identity theft.

Social engineering

Phishing, smishing, vishing — identity thieves will use every social engineering trick in the book to get your data. They’ll pretend to be someone you trust (such as a co-worker or bank official) to trick you into downloading a virus, clicking an infected link, or simply entering your details into a fake website. In fact, if the criminals are using stolen data as part of their deception, an act of social engineering can also be a case of identity theft.

Malware and exploits

You can’t access your online life directly with your mind — at least, not yet. As a result, your devices hold a ton of personally identifiable information about you. Infected files and security loopholes give hackers a way into your computer or smartphone. Once inside, they can rifle through your files, access your browser cache, or deploy keyloggers to steal passwords.

Data hijacking

Criminals can set up fake networks or infiltrate ones with weak security (for example, public Wi-Fi hotspots at airports, restaurants, and hotels) to spy on unencrypted traffic. If you’re not using a VPN, they are able to see everything you do on websites not protected by HTTPS and may even be able to monitor your communications with others.

Dumpster diving

Dumpster diving refers to the act of rifling through the victim’s trash for scraps of personally identifiable information. Many people don’t shred confidential documents or official correspondence (like bank statements), making their garbage bins veritable treasure troves for identity thieves.

Shoulder surfing

Shoulder surfing is the act of spying on the victim’s device in real life, usually over their shoulder — hence the name. Shoulder surfing lets criminals steal account names, passwords, personal identification numbers, and other information that people have to manually input on their device. Because of this, be wary of typing in sensitive information if anyone is standing or sitting too close to you in public.

Data breaches

Many services store data about you on their servers, from your transaction history to your user profile. As a result, breaches of major websites and social media networks give criminals a lot of personally identifiable information to use in identity theft attacks.

Dark web marketplaces

Hackers buy and sell valuable data on underground marketplaces located deep in the dark web — the seedy underbelly of the internet untouched by search engines. The data for sale ranges from simple lists of usernames to complete information packages about a given person (known as “fullz”). That’s right — for identity thieves, getting your complete profile can be as simple as visiting eBay.

Facts: Types of identity theft

Identity theft does not refer to any one specific action — instead, it’s a catch-all term for a variety of fraudulent activities involving stolen identities. Many prominent institutions in the field (such as the Identity Theft Resource Center in the US) group these activities into five main types.

Financial identity theft

Most stolen identities are used for financial purposes, making financial identity theft the most popular type of identity theft by far. It covers a broad range of activities, such as borrowing, taking out credit cards, opening new bank accounts, or making purchases in the victim’s name.

Criminal identity theft

No, it’s not a tautology — all identity theft is criminal, but criminal identity theft specifically refers to deliberate misrepresentation of yourself as another individual on arrest. Sometimes, identity thieves even carry fake IDs to help with the deception. If the officials believe the lie, they can place charges under the victim’s name, leading to wrongful court summons and fines.

Criminal identity theft is not very common, but its consequences can be difficult to get rid of. To clear their criminal record, the victim may need to separately contact the arresting officers with evidence proving their identity and petition the courts to expunge their records. This becomes even more complicated if the stolen identity was used in multiple jurisdictions or across borders.

Identity cloning

Identity cloning is what most people imagine when they hear the words “identity theft” — using the victim’s PII to assume their identity in daily life. While this sounds like it was taken straight out of spy fiction, this type of identity theft happens every day — even something as mundane as creating a fake social media profile using a stolen name and pictures is identity cloning!

Medical identity theft

Medical identity theft covers situations where the victim’s identity is used to fraudulently obtain medical treatment. In the United States, it also covers medical insurance fraud using a stolen identity. Because access to medical treatment is heavily regulated, some cases of medical identity theft can seem fairly harmless — for example, using a friend’s identity to obtain prescription-only medicine for yourself without their knowledge.

Child identity theft

Children are innocent — and identity thieves are eager to exploit that. PII relating to minors is very valuable because it rarely has any adverse tags (such as a criminal record or a bad credit rating) or tails (such as a medical history), giving identity thieves free reign to take out loans, issue ID, or even buy property in the victim’s name. In many cases, the victim only becomes aware of the identity theft when they try to apply for loans much later in life.

Other types of identity theft

The five categories above cover most scenarios of identity theft, but some cases are distinct enough to deserve a separate mention:

• Synthetic identity theft involves criminals forging a fake identity out of others (for example, using a fake name with a real social security number).

• Tax identity theft has criminals use the victim’s identity to claim their tax refunds.

• Estate identity theft uses a deceased victim’s PII to open accounts and rack up debt.

• Employment identity theft helps criminals pass background checks and get access to important positions in their target company.

How to protect yourself from identity theft

You’ve made it this far. Don’t panic — identity theft is a serious problem, but you can greatly reduce the criminals’ chances by following these simple rules.

1. Regularly check bills and statements…

   Your utility bills, credit card statements, and bank letters can reveal the actions of identity thieves long before fraud prevention systems kick in. Minor purchases and subscriptions at unknown websites may not set off alarm bells at the bank, but they can tip you off that someone is abusing your identity.

2. …and properly dispose of them

   If you’re just chucking your bank statements in the bin, you’re literally leaving treasure for pirates to find. Financial documents contain a wealth of PII like social security numbers, personal identity codes, and account numbers. Get in the habit of shredding documents and deleting files from your inbox once you’re done with them.

3. Learn to detect phishing attempts

   Phishing and other forms of social engineering take advantage of your trust in others to steal personally identifiable information. The first step to defending yourself is understanding how social engineering works — you can start by reading up on common scams like email phishing, vishing, and spear phishing on our blog.

4. Add additional identity checks

   Where possible, opt in for extra security steps at banks, credit unions, services, and government institutions — for example, you can request the US Internal Revenue Service (IRS) to issue you an identity protection PIN for tax refunds. Also, set up multi-factor authentication (MFA) for all your accounts to put another barrier between criminals and your PII.

5. Use a trusted password manager

   Strong passwords stop criminals from breaking into your accounts, stealing personal data, and wreaking havoc with your digital life. Trouble is, strong passwords are also tough to remember and a nightmare to type in every time you want to log in. Fortunately, NordPass is here to help.

   NordPass generates strong unique passwords for all your accounts and safely enters them for you on all platforms, taking the hassle out of password management. Your passwords are kept safe in a XChaCha20 encryption-protected vault that can only be accessed by you — no one, including us, can peek inside to steal your data.

Don’t wait — try NordPass for free today.