Identity Theft

Identity theft occurs when a criminal obtains or uses the personal information; e.g. name, login, Social Security number, date of birth, etc., of someone else to assume their identity or access their accounts for the purpose of committing fraud, receiving benefits, or gaining financially in some way.

What is identity theft?

We're all in the middle of an identity crisis—an identity theft crisis, that is.

According to a 2017 report from Javelin Strategy, there were 16.7 million victims of identity theft in the United States, while total losses across all types of identity theft reached $16.8 billion. For perspective, if the criminals responsible banded together to create their own country, which we'll call Crimeland (Crimea is already taken), the nominal gross domestic product would put Crimeland at 118th place just below Gabon and above Georgia.

The top forms of identity theft according to the Federal Trade Commission (FTC) Data Book 2018 are:

  • Credit card
  • Tax
  • Phone or utilities
  • Bank
  • Loan or lease
  • Government documents and benefits
  • Other (a catchall for medical, social media, and other less common forms)

Identity theft occurs when a criminal obtains or uses the personal information; e.g., name, login, Social Security number (SSN), date of birth, etc., of someone else to assume their identity or access their accounts for the purpose of committing fraud, receiving benefits, or gaining financially in some way.

In the US, “identity theft” wasn't legally defined until 1998. It was then Congress passed the Identity Theft and Assumption Deterrence Act, which made identity theft a prosecutable offense in and of itself. Prior to this, identity theft was prosecuted under a hodgepodge of state and federal fraud statutes designed with old-timey grifters and con-artists in mind (think Leonardo DiCaprio in the 2002 film Catch Me if You Can).

International laws vary from one country to the next. Of note, EU citizens are protected under the General Data Protection Regulation (GDPR). The UK followed suit with the Data Protection Act 2018.

Pre-Internet criminals typically had to go through your physical mail box or suffer the indignity of rummaging through your smelly trash to get the information they needed to steal your identity—like those “you're already approved,” pre-screened credit offers we all get in the mail.

Thanks to the miracle of modern technology, today's cybercriminals don't have to work nearly as hard to invade your privacy, but they stand to gain so much more. Big businesses and the large caches of data contained on their networks present a much more lucrative target than piecemeal attacks on individual consumers. Accordingly, attacks on businesses are up 235 percent year over year, according to the Malwarebytes Labs Cybercrime Tactics and Techniques report. At the same time, attacks on consumers went down almost 40 percent.

According to the Identity Theft Resource Center's (ITRC) 2018 End-of-Year Data Breach Report there were 1,244 data breaches, exposing over 446 million records in 2018.

“Thanks to the miracle of modern technology, today's cybercriminals don't have to work nearly as hard to invade your privacy, but they stand to gain so much more. Big businesses and the large caches of data contained on their networks present a much more lucrative target than piecemeal attacks on individual consumers.”

Chances are your data has already been compromised in a data breach.

For example, the 2013 Yahoo data breach affected all three billion Yahoo user accounts (yes, that's billion with a “b”). If at any point in time you had an account with Yahoo, you're a victim. The stolen data included names, emails, a mix of encrypted and unencrypted passwords, and security questions and answers—all of which are immensely useful for hacking into other accounts that use the same login credentials (aka credential stuffing attacks).

As a result of the Yahoo data breach and others like this, this, and these, your personal data is likely for sale right now on the Dark Web. The Dark Web is like the Bizarro World version of the Web we use every day. While the average person uses the normal Web to stream movies, buy groceries, and download software. The Dark Web caters to a different kind of customer looking for illegal porn, drugs, and caches of stolen data.

According to the New York Times, three shady buyers paid $300,000 each on a Dark Web marketplace for the stolen Yahoo data.

Collection 1, the largest assemblage of stolen data in history was at one point selling on the Dark Web for a mere $45.

This is a familiar narrative within the world of cybercrime—you place your trust in an organization, organization is hacked, your data is stolen, cybercriminals sell your data on the Dark Web, buyers use your data to commit fraud.

Before you resign yourself to victimhood, take heart. There are steps you can take to safeguard the privacy of your data and protect your identity from would-be identity thieves. Even if the bad guys already have your personal information, you can make your information entirely useless to them.

Let's take a deeper dive into the sordid world of identity theft, the signs, the causes, how to protect yourself, and what to do if your identity has already been stolen.

“This is a familiar narrative within the world of cybercrime—you place your trust in an organization, organization is hacked, your data is stolen, cybercriminals sell your data on the Dark Web, buyers use your data to commit fraud.”

What are the signs of identity theft?

  • You stop receiving your regular bills and credit card statements.
  • You receive statements for accounts you never opened.
  • Debt collectors start calling you day and night about debts you've never heard of.
  • The IRS alleges you failed to report income for a company you never worked for.
  • You see withdrawals/charges on your bank or credit card statement that you didn't make.
  • You try to file your taxes only to discover that someone else beat you to it.
  • You try to file your taxes and find someone claimed your child as a dependent already.
  • Your credit report includes lines of credit you never opened.
  • Your credit score fluctuates wildly and for no apparent reason.
  • The most obvious sign—you receive a notification that you've been the victim of a data breach.

What are the types of identity theft?

Credit identity theft happens when a scammer steals your credit card number outright and uses it to make fraudulent purchases or obtains a credit card or loan under your name. According to the FTC, credit card related identity theft was the most common form of ID theft for 2018—up 24 percent over the previous year.

Tax identity theft occurs when a scammer gets a hold of your SSN and uses it to obtain a tax refund or get a job. This might come as a result of a data breach that exposes your SSN online, for example. The US Internal Revenue Service doesn't get much love from taxpayers, but the organization's efforts to reduce tax-related identity theft appear to be working. The IRS reports cases of tax-related identity theft are down 38 percent from 401,000 in 2016 to 242,000 in 2017.

Child identity theft. Why would someone want to pretend to be a child? Many reasons.
Scammers can use your child's SSN to obtain a tax refund, claim them as a dependent, open a line of credit, get a job, or obtain government ID. There are lots of ways you can protect against child identity theft, including freezing your kid's credit. Generally, they need to be under 15 or 16 years of age, though the age limit varies by state (more on credit freezes later).

Medical identity theft happens when criminals use your identity to see a doctor, get medical treatment, or obtain prescription drugs. In years past, medical identity theft could affect your ability to get health coverage or cause you to pay more for treatment. That's not the case anymore thanks to recent changes in the law, but past due medical debts incurred by a scammer can appear on your credit file and hurt your credit score. Seniors are a prime target for medical ID scams, because they receive Medicare and no one will think twice about frequent medical visits. With the Baby Boomer generation entering Medicare age (65+), scammers have more targets than ever before. Medical ID theft is up 103 percent year over year, according to the FTC.

Criminal identity theft happens when a criminal is arrested and provides law enforcement with a name, date of birth, and fraudulent ID based on a stolen identity. Criminal ID theft typically comes up when applying for a job or an apartment. If the employer or landlord performs a background check, the crimes of your nefarious doppelganger might stop you from getting that job or housing.

How does identity theft happen?

Here's a sampling of the more common attack methods cybercriminals use to breach an organization, network, or your personal computer in order to steal your personal information and your identity. And if you're interested in the history of data breaches, head over to our article on the subject.

An exploit is a type of attack that takes advantage of software bugs or vulnerabilities, which cybercriminals use to gain unauthorized access to a system and the data contained within. These vulnerabilities lie hidden within the code of the system and it's a race between the criminals and the cybersecurity researchers to see who can find them first. The criminals, on one hand, want to abuse the exploits while the researchers, conversely, want to report the exploits to the software manufacturers so the bugs can be patched. Commonly exploited software includes the operating system, Internet browsers, Adobe applications, and Microsoft Office applications.

Spyware and keyloggers are a type of malware that infects your computer or network and steals information about you, your Internet usage, and any other valuable data it can get its hands on; e.g. your usernames, passwords, and SSN. You might install spyware as part of some seemingly benign download (aka bundleware). Alternatively, spyware can make its way onto your computer as a secondary infection via a Trojan like Emotet. As reported on the Malwarebytes Labs blog, Emotet, TrickBot, and other banking Trojans have found new life as delivery tools for spyware and other types of malware. Once your system is infected, the spyware or keylogger sends all your personal data back to the command and control (C&C) servers run by the cybercriminals.

Phishing attacks work by getting us to share sensitive information like our usernames and passwords, often employing social engineering tricks to manipulate our emotions, such as greed and fear. A typical phishing attack will start with an email spoofed, or faked, to look like it's coming from a company you do business with or a trusted coworker. This email will contain urgent or demanding language and require some sort of action, like verifying payments or purchases you never made. Clicking the supplied link will direct you to a malicious login page designed to capture your username and password. If you don't have multi-factor authentication (MFA) enabled, the cybercriminals will have everything they need to hack into your account. While emails are the most common form of phishing attack, SMS text messages (aka smishing) and social media messaging systems are also popular with scammers.

Oversharing on social media. It's not our fault when a social media site like Facebook or Google+ gets hacked, but oversharing personal information on social media does increase our risk of identity theft in the event of a data breach. A Facebook bug allowed spammers to get around login requirements and access personal information for 30 million users. Likewise, a bug in Google+ gave third-party app developers access to personal information, including name, email, DOB, gender, places lived, and occupation for nearly half a million users. Two months later Google pulled the plug on the social media service when it was discovered another Google+ bug exposed over 50 million users. Should you limit your exposure and delete yourself from social media? If you answered yes, check out our guide.

Scam calls and robocalls are live or pre-recorded phone calls designed to trick you out of your personal information. A recent robocall covered on the Malwarebytes Labs blog involved scammers purporting to be from the Social Security Administration. Recipients were accused of “leaving behind trails of suspicious information” and if the recipients do not call the scammers back and confirm their SSN, a warrant would be put out for their arrest. The really grifty part of this scam is that the perpetrators used spoofing technology to make the calls appear to come from the Social Security Administration's national customers service number. According to the FTC, scam calls from people pretending to be from the Social Security Administration went up 994 percent from 3,200 in 2017 to 35,000 in 2018.

A SQL injection (SQLI) is a type of attack that exploits weaknesses in the SQL database management software of unsecure websites in order to get the website to spit out information from the database. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway. A bad guy enters malicious code into the search field of a retail site, for example, where customers normally enter searches for whatever they're trying to buy. Instead of returning with a list of search results, the website will give the hacker a list of customers and their credit card numbers. This may sound like an oversimplification, but it really is this easy. Attackers can even use automated programs to carry out the attack for them. All they have to do is input the URL of the target site then sit back and relax while the software does the rest.

Broken or misconfigured access controls can make private parts of a given website public when they're not supposed to be. For example, a website administrator at an online retail site will make certain folders on the network private. However, the web admin might forget to make the related sub-folders private as well, exposing any information contained within. While these sub-folders might not be readily apparent to the average user, a cybercriminal with strong Google-fu skills could find those misconfigured folders and steal the data inside.

Credential stuffing. In the aftermath of a data breach, affected organizations will often force reset the passwords for all impacted users, but that doesn't necessarily mean everyone is safe. Cybercriminals can use stolen emails, usernames, passwords, and security questions/answers to break into other accounts and services that share the same information. Using off-the-shelf automation tools designed for testing webpages, cybercriminals enter a list of stolen usernames and passwords into a website until they land on the right credentials for the right website. This is credential stuffing and while it can be used to hack individual consumer accounts, it's typically used as part of a remote desktop protocol (RDP) attack.

“The Internet consensus seems to be that you shouldn't pay for credit monitoring services, but if it's offered to you for free (i.e. after a data breach) go ahead and sign up.”

Should I sign up for credit monitoring?

After a data breach, affected companies will usually offer free credit and identity monitoring services as a conciliatory measure. Are these monitoring and protection services actually worth the money?

The Internet consensus seems to be that you shouldn't pay for credit monitoring services, but if it's offered to you for free (i.e., after a data breach) go ahead and sign up.

Writing for the Malwarebytes Labs blog, cybersecurity researcher William Tsing said, “Identity theft monitoring services sound great on the surface. They're not that expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don't, at present, protect against the worst impacts of identity theft—the theft itself.”

What does “credit monitoring” or “identity theft protection” actually entail and why does everyone seem to think these services stink?

As Tsing pointed out, the biggest problem with credit monitoring services is that they can't actually stop cybercriminals from stealing your identity. Though they can alert you when someone opens up a line of credit under your name. Think about it this way, these services alert you to changes on your credit report if you can't be bothered to check your own credit report. If that's the case, then you may want to consider signing up and paying someone else to monitor your credit file for you, but the bottom line is that these credit monitoring services are just that—monitoring services, not protection.

How can I protect myself from identity theft?

If all of this talk about identity theft and data breaches upsets you, you're in good company. A data privacy survey conducted by Malwarebytes Labs found the majority of respondents want to take steps to protect their data online and distrust search engines and social media with their data.

As we've established, you probably don't need to pay for identity theft protection services that don't actually protect you against anything. Instead, follow our completely free, DIY tips below.

  • Claim your three free credit reports. Everyone should get in the habit of checking their credit file regularly. Every consumer gets one free credit report from each of the three major credit bureaus (Equifax, Experian, and TransUnion) at annualcreditreport.com.  You don't have to take them all at once—nor should you. By spreading your free reports over the course of a year, you can check your credit file three times a year, on your own, without paying a dime to the so-called “credit monitoring” services.
  • Put a free freeze on your credit file. As of 2018, credit freezes are free for everyone, no matter what state or country you live in. With a freeze in place, no one (including you) can look at your credit file, let alone open a line of credit. As long as you don't anticipate applying for a loan or a credit card anytime soon this is a great option. In the event that you need to open a line of credit, you can contact the credit bureaus and stop the freeze at any time with the PIN you received when you froze your account. The only hassle is that you must contact each credit bureau individually to enact or remove a freeze. You should submit a freeze for your children while you're at it. Yes, the credit bureaus maintain credit files for your underage children. Unlike an adult credit freeze, where you might have to turn it on and off over time to buy car or apply for a loan, you can freeze your kid's credit and forget about it until they turn 18.
  • Opt-out of pre-screened credit offers. If you have good to excellent credit, you likely receive several credit card offers in the mail every week. Pre-screened offers don't hurt your credit score and they often include big sign up bonuses, but they also leave you exposed to credit card fraud. Criminals can steal these offers out of your mailbox and open a credit account under your name. It's a decidedly low-tech form of identity theft, but it works. You can limit your exposure by visiting optoutprescreen.com and opt-out of pre-screened credit cards. This stops the credit bureaus from sharing your credit file with creditors and insurers. Plus, you'll be saving some trees and reducing the glut of junk mail that fills your mailbox every month.
  • File your taxes early. The IRS will only accept one tax return per SSN. Beat scammers to the punch and file your taxes before they can do it for you.
  • Get an identity protection PIN from the IRS. If you're willing to jump through an extra hoop when tax season comes around, consider obtaining an identity protection PIN. Anyone who tries to file a tax return using your SSN, including you and your accountant, will need to provide the special number assigned to you by the IRS. The number changes every year and can be obtained online or sent to you in the mail.
  • Watch out for IRS scam calls and phishing emails. The IRS will generally send several notices via snail mail before trying to call or email you. If you receive a threatening call from the IRS demanding immediate payment of back taxes or else, you should hang up, because it's probably a scam. Similarly, be wary of any emails purporting to be from the IRS, and definitely don't click any links or open any attachments. Keep in mind, the IRS will never demand immediate payment without a chance to appeal, arrest you (unless you're committing tax fraud or evasion), or demand payment using weird methods like wire transfer or iTunes gift cards. Moreover, taxes owed are always payable to the US Treasury—without exception.
  • Use good cybersecurity. As we covered earlier, identity theft often starts with some sort of malware. Granted, there's not much we can do when some business loses our information in a data breach. We are, on the other hand, empowered to stop cybercriminals from attacking us personally by adopting some form of cybersecurity. Malwarebytes, for instance, has the goods for Windows, Mac, Android, iOS and Chromebook. Malwarebytes blocks malware like keyloggers, spyware, and Trojans from getting on your computer or opening up a backdoor and stealing your data. For iPhone fans, Malwarebytes for iOS screens out phone scams and robocalls.

For readers in the UK. First, consider opting out of the open electoral register—it won't hurt your credit score. Second, consider getting a Royal Mail PO box. Both will make it much harder for criminals to get their hands on your personal info by taking your name and address of those huge public lists. And UK readers should still check their credit reports with the three UK bureaus, but keep in mind, you don't get the free annual reports like US consumers.

What do I do when my identity is stolen?

You did everything right. You took every measure possible to keep and protect your identity and then the worst thing happens. You start receiving calls from debt collectors for accounts you never opened, and you see delinquent lines of credit on your credit report.

Here's our identity theft response checklist. Print it out and stick it to your fridge or save it to your desktop as a sobering reminder that identity theft has become a sad fact of life.

  • Clean up your computer. It may not be immediately obvious how your identity was stolen (e.g., malware, scam call, data breach, etc.) so you may want to take a scorched earth approach to the recovery process. Start with a good cybersecurity program and scan your system for any potential threats. The free versions of Malwarebytes for Mac and Malwarebytes for Windows are a good place to start. Both use advanced detection technology to root out hidden threats on your system.
  • Reset your passwords for compromised accounts and any other accounts sharing the same passwords. Really though, you shouldn't reuse passwords across sites. Granted, remembering a unique alphanumeric password for all of your online accounts and services is impossible. Consider using a password manager like 1Password. Password managers have the added benefit of alerting you when you land on a spoofed website. While that login page for Google or Facebook might look real, your password manager won't recognize the URL and won't fill in your username and password for you.
  • File an identity theft report with the FTC. Some businesses and organizations require an FTC identity theft report as the first step towards documenting your identity theft. You'll also need the report to obtain an extended seven-year fraud alert from the credit bureaus and to remove fraudulent accounts from your credit file. Fun fact—the FTC is a federal law enforcement agency. This means you don't have to file another report with your local law enforcement agency, unless you know the identity thief personally or your creditors demand it as proof that you're the victim.
  • Contact your bank and creditors. You can be liable for some or all fraudulent charges and stolen funds if you don't report lost or stolen debit and credit cards immediately. If your checking account number and routing number have been compromised, you'll likely have to close the account and open a new one. And don't forget to update any auto-payments tied to those account numbers.
  • Monitor your credit file. Remember, you get a free credit report, one from each of the three major credit bureaus every year, annualcreditreport.com. This is the only US Federal Trade Commission (FTC) authorized site for obtaining free credit reports. Watch it closely.
  • Submit a fraud alert with the credit bureaus. With a fraud alert in place, no one can open a line of credit under your name without first verifying your identity. This usually means calling you and asking identifying questions that only you would know. Unlike a credit freeze, you only have to notify one credit bureau and that bureau must notify the other two. Fraud alerts last one year (up from 90 days as of 2018) so you may want to set a calendar alert to remind you to renew the alert in a year's time. As a victim of identity theft, you can request a seven-year fraud alert. A fraud alert also entitles you to a free credit report from each credit bureau, in addition to the three you already get every year.
  • Submit a credit freeze. Doing so will mostly stop cybercriminals from continuing to open credit accounts under your name. Is a freeze foolproof? Not entirely. In a disturbing report, Brian Krebs found a workaround that could potentially allow criminals to lift a freeze on your credit with only your name, Social Security number and birthday. And in the case of most Americans, all three are readily available for sale on the Dark Web.
  • Watch your inbox carefully. Opportunistic cybercriminals know that millions of victims of any given data breach are expecting some kind of communication regarding hacked accounts. These scammers will take the opportunity to send out phishing emails spoofed to look like they're coming from those hacked accounts in an attempt to get you to give up personal information.
  • Consider credit monitoring services. As mentioned previously, if the service is free, go ahead and sign up. Otherwise, consider monitoring your own credit.
  • Contact the Consumer Financial Protection Bureau (CFPB). You have a legal right under the Fair Credit Reporting Act to dispute any incorrect information on your credit report. The reporting agency has 30 days to investigate your dispute and let you know the results. If the reporting agency doesn't fix or remove the fraudulent activity, you can turn to the CFPB and file a complaint. Hopefully, you won't have to take this step, but it's nice to know there's a government agency looking out for consumers.
  • Use multi-factor authentication (MFA). Two-factor authentication is the simplest form of MFA, meaning you need your password and one other form of authentication to prove that you are who you say you are and not a cybercriminal attempting to hack your account. For example, a website might ask you to enter your login credentials and enter a separate authentication code sent via text to your phone.

Finally, for the latest on identity theft and general cybersecurity news, visit the Malwarebytes Labs blog.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.