What identity theft is: Types, examples, and prevention

What is identity theft?

What is identity fraud?

Identity fraud is the next step that many cybercriminals take after stealing your personal information — it means using that stolen identity for fraudulent purposes. If an identity thief steals your personal or financial information, they may use it to collect your money, make purchases, or take out loans in your name.

Identity theft and identity fraud are two closely related concepts. And since identity theft can (and typically does) lead to fraud, it’s common to see these terms used interchangeably.

How does identity theft happen?

When criminals gain access to your personal information without your consent, that’s identity theft. Attackers typically access your information either by tricking you into sharing it with them or by launching cyberattacks to gather the information without your direct involvement. They may use one of the following strategies:

• Social engineering. Scammers trick or manipulate you into revealing private information. Social engineering takes many forms, including sending phishing emails, pretending to be someone else, offering something tempting to gain access to your data (baiting), or even physically following you into a secured area (tailgating).

• Phishing. Phishing is a type of social engineering that involves an attacker sending fake emails or messages. Scammers make these emails and messages look like they’re from legitimate service providers, luring you into sharing your personal information or clicking a link. If you click the link, you’ll typically be directed to a fake website designed to steal your login credentials.

• Hacking. Another way for cybercriminals to steal your identity is to hack their way into your computer, network, or system with the goal of stealing your data, causing damage, or disrupting operations. Hackers can break into accounts, install malicious software, or exploit weaknesses in security systems to steal your confidential information.

• Malware. Malware is malicious software (viruses, spyware, or ransomware) that cybercriminals install on your device to track your activity, damage your files, or gain access to your sensitive data. Cybercriminals often use malware to commit identity theft by secretly collecting personal details like passwords and credit card numbers, which they may use for identity fraud.

• Data breaches. Data breaches often lead to identity theft. Essentially, a data breach is an incident in which someone (deliberately or unknowingly) leaks sensitive information or when this information ends up in the wrong hands due to poor security or a cyberattack.

• Skimming. Criminals may use skimming to steal your debit or credit card information and drain your bank account. They can do so digitally or physically. In a digital skimming attack, criminals secretly place malicious code on a website to capture your payment card details when you make a transaction online. Physical skimming involves attaching a small device (a skimmer) to an ATM or payment terminal to secretly capture data from your credit or debit card when you swipe or insert it.

  
  

Different types of identity theft

Identity theft may take many forms, each with its own sneaky tactics. Knowing the differences between the main types of identity theft may help you take steps to protect yourself from criminals.

Medical identity theft

Medical identity theft happens when someone steals your personal information, like your name, insurance details, or Social Security number, and uses it to receive medical services or prescriptions under your name. Becoming a victim of medical identity theft may result in bogus medical bills or incorrect information on your medical records. It can even impact your eligibility for health insurance benefits.

Some of the risks of becoming a medical identity theft victim may come from using health apps with poor security. Well-being apps often collect more data than necessary, and that’s no secret. In fact, 42% of users know their health apps collect irrelevant information that doesn’t directly contribute to their health goals. If criminals bypass the app’s security, they can misuse or share that excess information without the user's knowledge, leading to security breaches or other risky consequences.

Financial identity theft

Financial identity theft is the act of stealing someone’s financial information, like their bank account or credit card details, to make purchases or open accounts in the victim’s name. If you suffer financial identity theft, you may end up with huge bills, damaged credit, and a lengthy recovery process.

Credit card fraud

Credit card fraud is a likely result of financial identity theft. When criminals steal your financial information (namely, your credit card number, expiration date, CVV number, and your name), they can use it to make unauthorized purchases, which may result in unexpected charges and damage to your credit score.

Child identity theft

Child identity theft happens when a criminal uses a minor’s personal information, like their name, date of birth, or Social Security number, to commit fraud or financial crimes. Since creditors often don’t check the person’s age, thieves can exploit the child’s details to open fake bank accounts, make fraudulent purchases, take out loans, or even apply for government benefits in the child’s name.

Tax-related identity theft

Tax-related identity theft occurs when a criminal uses someone’s personal information, like their Social Security number, to file a fraudulent tax return and claim a refund. Tax-related identity theft is considered a form of tax fraud because the thief is intentionally submitting false information to the IRS to steal money. Afterwards, the victim has to deal with delayed refunds and issues with their tax records.

Criminal identity theft

Criminal identity theft happens when a thief uses someone else’s personal information, such as their name and ID, during an arrest or while committing a crime. This way, a criminal record is created in the victim’s name, even though they were not involved in the crime.

Social Security number identity theft

Social Security number identity theft is just what it sounds like — it’s when someone steals your SSN and uses it to pretend to be you. For example, a scammer might steal your wallet, purse, or mail or rummage through your trash to obtain your SSN. They could also use social engineering — pose as an employer or someone from a government agency — to trick you into sharing your SSN. The scammer can then use your stolen Social Security number to commit financial crimes, damaging your credit in the process.

Employment identity theft

To pull off employment identity theft (also called employment fraud), criminals use your personal information, like your name and SSN, to get hired or receive wages. For example, a thief might use your stolen details to apply for a job, causing tax issues and potentially leaving you with a false employment record or unpaid taxes.

You might have also heard of employment scams, which work differently — they involve a scammer offering fake job opportunities to trick you into paying money, sharing personal information, or downloading malicious software.

Senior identity theft

Senior identity theft (or elder fraud) occurs when criminals target older adults to steal their personal information. Scammers often exploit seniors’ trust or their unfamiliarity with technology to commit fraud, such as stealing benefits, draining their bank accounts, or opening credit lines in their name. If you have elderly people in your life who struggle with technology, consider educating them to keep them safe and help create a safer internet for seniors.

Synthetic identity theft

Synthetic identity theft has to do with criminals “synthesizing,” or mixing, stolen personal information with made-up details to create a new, false identity that they may use to carry out financial crimes. In some cases, scammers even use artificial intelligence to generate fake faces to bypass biometric security checks.

Identity cloning

Identity cloning is a type of identity theft that happens when a criminal takes your personal information, like your name and address, and uses it to create a fake version of your identity. Essentially, the criminal impersonates you, but unlike with full-on identity theft, their goal is often to duplicate enough of your information to commit fraud without you noticing right away.

Examples of identity theft

You might have heard about some recent identity theft examples involving well-known companies. Even the largest corporations, such as AT&T, are not completely protected from attacks that result in stolen identity information. AT&T, the telecommunications giant, suffered a significant data breach in July 2024, where hackers accessed and stole phone records of approximately 110 million customers. They stole call metadata and later used it in extortion attempts. The company acknowledged the breach and notified customers while taking measures to address the issue.

Another big breach in 2024 affected the data broker company National Public Data. In August, the company confirmed a massive data breach that compromised the sensitive information, including Social Security numbers, of nearly all Americans. The breach itself occurred in April 2024 and involved approximately 2.9 billion records, leading to multiple class-action lawsuits against the company.

Another significant example of identity theft impacting a major corporation is the series of security incidents that Okta, an identity and access management company, faced between 2022 and 2023. In March 2022, the hacking group LAPSUS$ gained access to Okta’s internal systems through a third-party customer support engineer’s computer, potentially impacting up to 366 customers. Later, in December 2022, malicious actors stole Okta’s source code from its GitHub repository. These incidents raised concerns about the security of Okta’s systems and the potential exposure of client data.

What are the chances of falling victim to identity theft or fraud?

The chances of falling victim to identity theft or fraud can vary, but recent statistics show that identity theft has already become one of the most commonly reported types of fraud. According to the US Federal Trade Commission (FTC), in 2023, Americans filed a total of 5.7 million fraud and identity theft reports.

While anyone can be at risk, certain factors like online behavior, financial habits, and personal information sharing can increase your chances of an identity thief targeting you. ID thieves often exploit previous data breaches, use phishing techniques, or even carry out old-fashioned scams to steal personal information in order to gain financial advantages. The Federal Trade Commission reports that in 2023, about 60% of identity theft victims experienced credit card theft and fraud, followed by issues like loan fraud and government documents misuse.

In 2023, NordVPN’s research revealed that nearly 6 million stolen credit cards were available for purchase on the dark web. These stolen card details often come from data breaches, and many are sold in bot markets — online platforms where cybercriminals can buy and sell illicit data.

With so many people affected by identity theft, it may make you wonder if your personal information is safe or whether it has been exposed? Check out the signs of ID theft to know for sure.

Recognizing the signs of identity theft

It can be difficult to know if you’ve become a victim of identity theft, especially if you don’t check your financial statements regularly. Some clear signs on identity theft include:

• Bills for items that you didn’t buy appearing on your credit card statement.

• Calls from debt collectors about accounts in your name that you didn’t open.

• New credit cards in your name that you didn’t apply for.

• You are denied when you apply for a loan even though you thought your credit was in good standing.

• Hard inquiries into your credit report.

• Checks that bounce.

• Unfounded medical bills.

• Having your utilities shut off or having your utility bills drastically increase.

• You can’t sign in to accounts.

All of these signs should put your guard up. To check if someone is using your identity, you should inspect your credit report, bank statements, and online accounts for suspicious activity or unauthorized changes. And if you notice any changes — report them immediately to relevant authorities and take action to recover your identity.

How to report identity theft

Discovering that your identity has been stolen can be unsettling and stressful. If you’re facing identity theft or fraud in the US, taking these steps will help you get back on track:

• File an identity theft report. Visit IdentityTheft.gov to file an official report. This will create a record of the theft and provide you with a personal recovery plan. You’ll need this report for disputing fraud and working with law enforcement and your financial institutions.

• File a report with the Federal Trade Commission. To report fraud, scams, or bad business practices, visit ReportFraud.ftc.gov.

• Contact your financial institution. If you suspect financial identity theft, reach out to your bank or credit card issuer to report suspicious activity, close compromised accounts, and protect your finances.

• Place a fraud alert or credit freeze with the major credit bureaus. A fraud alert will notify creditors to take extra steps to verify your identity before granting credit in your name, while a credit freeze will provide stronger protection by preventing thieves from opening new accounts in your name. Place a fraud alert or freeze your credit on the Equifax website (or call 800-349-9960), freeze your credit on the Experian website (or call 888-397-3742), or freeze your credit on theTransUnion website (or call 888-909-8872).

• Contact local law enforcement. File a police report with your local department and bring your FTC report, ID, proof of address, and any evidence of theft with you.

• Review and dispute fraudulent activity. Go over your bank and credit card statements for unauthorized charges and dispute them with your financial institutions. Use your FTC and police reports as supporting documents.

• Change passwords and secure your accounts. Update your passwords across all accounts, especially financial ones, and enable 2FA for extra protection.

• Monitor your identity. Keep an eye on your credit reports, financial accounts, and alerts from identity theft protection services for unusual activity. You can request free credit reports from the three credit bureaus at AnnualCreditReport.com.

Whether you’re recovering from ID theft or have never experienced it (in that case congratulations — your online security game is on point!), you can take steps to avoid it in the future.

How to avoid identity theft

Now that you know the many ways identity thieves can get hold of your information, it’s time to discuss what you can do to prevent it. Avoiding ID thieves relies on you adopting some safe habits when it comes to storing, sharing, and managing your information and online accounts.

• Use strong passwords. Topping the list of strong personal security habits, you’ll find the use of complex passwords that you don’t reuse for multiple accounts. One account, one password — period.

• Enable two-factor authentication (2FA). Setting up 2FA for your online accounts adds an extra layer of security. Even if an ID thief manages to steal your password, they won’t be able to log in to your account without the second factor, which is typically a code sent to your phone or an app.

• Monitor your credit and bank accounts regularly and set up alerts for unusual transactions so you can catch potential fraud early. Also, review your credit report at least once a year to make sure no unauthorized accounts have been opened or activity you haven’t initiated appears.

• Be cautious of phishing and scams. Be careful of unsolicited emails and messages, especially if they pressure you to click a link or submit your login information. If the suspicious email or message is supposedly from a public institution or a company, check with it directly to find out if it’s really the organization contacting you. A particularly useful tool against phishing and scams is Threat Protection Pro™, anti-phishing software by NordVPN, which uses AI-powered technology to detect scams, phishing, and fake shops.

• Shred sensitive documents. With cyberthreats on the rise, it’s easy to forget that identity thieves could simply collect the documents you’ve discarded and get your information from there. You should shred the documents you no longer need or, better yet, switch to the digital format completely.

• Use a VPN on public Wi-Fi. Public Wi-Fi isn’t always secure, so we advise using a VPN on public Wi-Fi. It will redirect your online traffic through a private internet server, effectively protecting it from snoopers and ID thieves.

• Stay alert for data breaches by regularly checking if your credentials have been leaked on the dark web. How? Use NordVPN’s Dark Web Monitor, which scans dark web forums and sites for credentials associated with your NordVPN email address and sends you immediate alerts if it finds them there.

If you’re based in the US, another great tool to have at your disposal is an identity theft protection service. Reliable identity theft protection services, such as NordProtect, offer dark web monitoring and credit activity monitoring and send immediate alerts if it detects data leaks or suspicious credit activity. These services are there to help you react as fast as you can in case attackers steal your identity, and they may also assist you in recovering it.