How Does Identity Theft Happen? (and How To Avoid It)

What Is Identity Theft?

Identity theft is the fraudulent acquisition (and exploitation) of your personally identifiable information (PII) for financial gain. Identity thieves can use your personal data for multiple types of identity theft, from bank and loan fraud to stealing your tax return or even receiving medical care in your name.

You can become the victim of identity theft if scammers have access to PII such as your:

• Name
• Address
• Date of birth
• Phone number
• Social Security number (SSN) or your child’s SSN
• Online passwords and credentials
• Credit card numbers and other financial information

While there’s no way to be 100% protected from identity theft, staying vigilant against fraud is the best way to safeguard yourself (and your family) from scammers.

In this guide, we’ll cover the most common ways that identity theft happens — including the schemes and warning signs you need to be aware of to stay safe.

{{show-toc}}

What Are the First Signs of Identity Theft?

The consequences of identity theft can be severe if swift action is not taken as soon as you see the warning signs. The sooner you spot the signs of identity theft, the better chance you have of shutting down scammers before they can do too much damage.

If you think your identity is compromised, look for these warning signs:

• Unfamiliar charges or withdrawals on your credit card or bank statements.
• Being denied applications for new credit cards, or a sudden drop in your credit score.
• Notifications for new cards and accounts that you didn’t sign up for.
• Calls from creditors and debt collectors about purchases you never made.
• Unfamiliar medical bills or notifications saying that your healthcare benefits have been maxed out.
• Missing mail or signs that your mailbox has been tampered with.
• Password reset emails or 2FA codes that you didn’t request.
• You’re unable to log into online accounts using your usual password.
• Emails alerting you about a data breach.
• Fraud alerts from your bank or credit monitoring service.

How Does Identity Theft Happen? (17 Ways)

1. Phishing, smishing, and vishing
2. Lost or stolen wallets
3. Lost or stolen phones and digital devices
4. Data breaches
5. Home burglary
6. Hackers “snooping” over public Wi-Fi
7. Dark Web marketplaces
8. Malware attacks
9. Family identity theft
10. Impostor scams
11. Synthetic ID theft
12. Weak data protection
13. Malicious websites
14. Credit card skimming
15. Shoulder surfing
16. Dumpster diving and mail theft
17. Address manipulation fraud

The Federal Trade Commission (FTC) received over 5.4 million reports of identity theft and fraud in 2023 alone — with victims losing upwards of $10 billion [*].

To protect yourself, you need to know how someone can steal your identity and what you can do to stop them.

1. Phishing, smishing, and vishing scams that steal your personal information

Phishing attacks occur when cybercriminals pose as representatives from well-known companies or government agencies and trick you into giving up personal information, sending them money, downloading malware onto your devices, or clicking malicious links that take you to fake websites that steal your passwords and data.

Phishing attacks can take place via emails, fraudulent text messages (known as “smishing”), social media messages, or phone calls (known as “vishing”).

How to prevent identity theft via phishing attacks:

• Never respond to or click on links from texts or emails that you don’t recognize. If you need to check something related to an online service that you use, go directly to their website.

• Use antivirus software and a virtual private network (VPN) to secure your devices and network against hackers.
• Add your mobile and home phone number to the National Do Not Call Registry and learn how to block spam texts on your mobile phone. You should also report spam texts to the Federal Communications Commission (FCC).
• Look for signs of a phishing attack, such as poor grammar and spelling, a sense of urgency (or threatening language), and unfamiliar or suspicious links.

📚 Related: How To Tell If An Email Is From a Scammer →

2. Lost or stolen wallets

After James Ball got mugged and was robbed of his phone and bank cards, he thought the worst was over [*]. But when the attackers forced him to hand over his passwords, PINs, and phone ID, he didn’t realize that his nightmare situation was only getting started.

By the time Ball got home and called the police, his assailants had emptied his bank account, locked him out of his email and other accounts, and stolen his identity.

If your wallet (or purse) is stolen, scammers can gain access to your credit cards and IDs. Even just your driver’s license can provide enough personal information for a criminal to commit identity fraud, including your full name, home address, date of birth, signature, and picture.

Scammers can use this information to run targeted scams against you, take out loans or new credit cards in your name, or sell your data on the Dark Web.

How to prevent identity theft from lost and stolen wallets:

• Keep your wallet, purse, and sensitive documents safe at all times. Don’t carry your Social Security card or extra credit cards with you.  
• Keep an updated list of what’s inside your wallet and check it regularly to make sure you didn’t lose a card.
• If your wallet or purse goes missing, alert your state Department of Motor Vehicles (DMV), local law enforcement, banks, and creditors as soon as possible.

📚 Related: Is Your Wallet Lost or Stolen? Do This, ASAP →

3. Lost or stolen phones and digital devices

With access to your phone or other devices, cybercriminals could make unauthorized purchases using your linked credit cards, break into your email and online bank accounts, or find sensitive information, photos, and videos.  

How to prevent identity theft via lost digital devices:

• Secure your phone with “auto lock,” biometric security (such as facial recognition or fingerprint ID), as well as a strong passcode.
• Never store passwords in your mobile browser (i.e. Safari or Google Chrome). If scammers steal your phone, they can use this to access all of your online accounts.
• Activate the “Find My Device” feature on your digital devices immediately. This feature also allows you to remotely lock or wipe your devices if they’re stolen.
• Assign a trusted backup number to your device. This allows you to quickly recover your accounts if your phone gets hacked.

📚 Related: Stolen Phone? Don’t Panic! Follow These 11 Steps →

4. Data breaches that expose your passwords and sensitive data

Data breaches take place when hackers break into services that you use and steal your stored information. This could include your name and email address as well as passwords, credit card numbers, and even your Social Security number (SSN).

2023 was the worst year of all time for data breaches — with over 3,200 reported breaches and 350 million victims [*].

Leaked data often ends up on the Dark Web, where it can be bought and sold by scammers who use it break into your accounts or steal your identity online.

How to prevent identity theft via data breaches:

• Use secure and unique passwords for every site. If you reuse passwords, a single data breach could give hackers access to all of your accounts. If you’re worried about remembering multiple passwords, Aura’s online identity theft protection service comes with an easy-to-use password manager.‍
• Add two-factor authentication (2FA) on all of your accounts, and use an authenticator app instead of SMS to receive your 2FA codes.‍
• Reduce the amount of personal information you share with online services. Never enter your SSN, and don’t save credit cards with e-commerce sites.

5. Home burglary and theft of sensitive documents

While cybercrime is the fastest growing crime in the United States [*], home theft and burglary can still put you at risk of identity theft. Your home contains sensitive documents, such as bank statements, tax returns (and other documents) and your passport or other IDs.

Even worse, in the aftermath of a break-in, you might not even notice that these documents are missing.

How to prevent identity theft via home break-ins:

• Keep sensitive documents locked away in a safe or secure office. For added protection, go paperless with your bank statements and other sensitive accounts.
• Use a shredder to get rid of unneeded documents that contain your personally identifiable information (PII).

📚 Related: The Best Identity Theft Protection for Seniors (2024) →

6. Hackers “snooping” over public Wi-Fi

Public Wi-Fi networks — such as those at coffee shops, airports, and hotels — are notoriously easy to hack. If hackers break into a network you’re connected to, they can view all of the data that you send, including emails, passwords, and account numbers.

How to prevent identity theft via public Wi-Fi hacking:

• Use a virtual private network (VPN) to hide your data from hackers. Aura’s military-grade VPN encrypts your data, so that even if hackers break into your network, they can’t see or steal your sensitive information.
• Use your mobile phone’s hotspot when out in public. If you must use a public Wi-Fi network, don’t ever submit sensitive information such as your passwords, account information, or SSN.

📚 Related: How To Tell If Your Wi-Fi is Hacked →

7. Scammers buying your information on the Dark Web

The Dark Web comprises a vast network of websites and forums that aren’t accessible through standard web browsers, and provide additional anonymity to users. Cybercriminals use the Dark Web to sell and share information that has been stolen in data breaches.

For example, leaked credit card details or bank account logins go for an average of $60 or less on the Dark Web [*].

How to prevent identity theft via Dark Web data leaks:

• Run a Dark Web scan to see what information of yours has already been leaked. Update any leaked passwords, and enable 2FA on all of your accounts.
• Consider signing up for an identity theft protection service with Dark Web monitoring. Aura’s all-in-one digital security solution constantly scans the Dark Web and other sites for your passwords and sensitive information. You’ll be alerted in near real-time if your data has been exposed.

📚 Related: What Is Dark Web Monitoring? (Get a Free Dark Web Scan) →

8. Malware attacks (ransomware, spyware, and other viruses)

Cybercriminals will try to infect your devices with malware and then spy on you, lock your devices until you pay them a ransom, or steal your sensitive data.

For example, you might get a fake text message claiming that your bank account was hacked. But if you click on the link in the text message, it automatically downloads malware onto your device that gives the scammer full access to your documents and passwords.

How to prevent identity theft via malware:

• Install antivirus software and schedule regular scans of your devices. Aura’s antivirus will identify and isolate malware before it can do damage to your device.
• Keep your apps and operating systems updated. Hackers often use security vulnerabilities in outdated software to launch their attacks. Whenever possible, enable “auto updates” to make sure your devices are as protected as possible.
• Never click on links in suspicious emails or text messages — especially on a work device. If you’re at all in doubt, contact your IT or security department.

9. Family identity theft that targets children and seniors

Identity thieves often target children and seniors with their scams. Children are attractive targets due to their clean credit histories, while seniors rarely monitor their credit and may be less likely to recognize scammers.

In some cases, the identity thief could even be a family member.

How to prevent family identity theft:

• Keep your child’s SSN and other sensitive documents safe and confidential. Don’t include them on forms, as it’s not always a requirement. Remember, the less personal data floating around, the lower the chance that a scammer can find it on the Dark Web.
• Educate your elder family members about online scams and phishing attacks. Here’s a list of some of the most common senior citizen scams that they should be aware of.
• Consider signing up for a family identity theft protection plan. Aura’s family plan includes monitoring and identity theft protection for up to five adults and children who live in the same household.

📚 Related: Internet Safety Tips For Kids & Teens (Parents Need To Know) →

10. Impostor scams in which scammers pretend to be company or government representatives

Impersonation ID theft happens when a scammer pretends to be a representative from a company that you use or from a government agency like the IRS.

These scammers will reach out via phone calls, emails, texts, or even in person, and try to trick you into either giving up sensitive information or sending them money.

How to prevent identity theft via imposter scams:

• Verify the identity of anyone who reaches out to you via an unsolicited message, call, or visit. Government agencies have strict rules about when and how they can interact with you.
• If someone calls or visits you claiming to be from a company or agency, ask for their information and then hang up or close the door. Then, call the company directly using the phone number on their website and verify the information.
• Beware of anyone claiming to be a “tech support specialist” on social media or over email. This is a common scam that fraudsters use to either gain access to your devices or get you to send them money.

📚 Related: The 7 Latest Geek Squad Scams (and How To Avoid Them) →

11. Synthetic ID theft

Synthetic ID theft occurs when criminals create a “new” identity by combining your SSN and other stolen data with someone else’s (or even made up) information. This “Frankenstein” identity can then be used to open new bank accounts, take out credit from lenders, or run other scams — all with your name or SSN attached to it.

How to prevent synthetic identity theft:

• Monitor your SSN for signs of fraud. Aura can alert you if someone is using your SSN to apply for credit or open accounts.
• Educate your parents or grandparents about digital security. Elders are often targets of synthetic identity fraud and should take extra precautions such as installing antivirus and using 2FA on their devices.

📚 Related: What To Do After a Data Breach: 2024 Data Breach Recovery Plan →

12. Hackers taking advantage of weak data protection

In 2024, the average American household has 17 connected devices [*], giving cybercriminals multiple access points to your personal data. If you don’t use a robust digital security solution, they can easily hack into your accounts or even take over your computer.

How to prevent identity theft via weak data protection:

• Keep all of your connected devices up to date, and protect them using unique and strong passwords. Keep track of all your passwords by using a password manager.
• Consider an all-in-one digital security solution that includes device and network protection, credit monitoring, parental controls, and Dark Web monitoring.

13. Malicious websites that steal your login credentials

Not all websites are secure. Scammers will often create fake websites that look like ones you’re familiar with — such as your bank or Netflix login. If you enter your login credentials on these fake websites, they go straight to the fraudster.

How to prevent identity theft via malicious websites:

• Check that any website you’re visiting uses a secure “HTTPS” connection (not “HTTP”). Look for a padlock symbol by the URL, and click on it to see who the site’s security certificate is assigned to. If it’s not the same as the company name, it could be a scam.‍
• Be on the lookout for “lookalike” domain names. For example, scammers will use “Walmrat.com” instead of “Walmart.com” and hope that you won’t notice. ‍
• Use Safe Browsing tools to warn you of fake websites. Aura's Smart Network can warn you of potential phishing links and sites before you enter your passwords, credit card, or bank account number.

📚 Related: What Is Criminal Identity Theft? Should You Be Worried? →

14. Credit card “skimming” and “shimming” devices

Fraudsters install “skimming” and “shimming” devices on vulnerable ATMs and card readers to steal your credit card account information. Scammers can then use your credit card information to make fraudulent purchases online or create “cloned” versions of your card.

How to prevent identity theft via credit card fraud:

• Be cautious whenever you use a card reader that’s in public (such as at gas stations).
• Sign up for a credit monitoring service that will warn you of suspicious activity. Aura constantly monitors your credit card, bank, and investment accounts for signs of fraud. You’ll get alerted in near real-time if anyone is trying to use your financial information without your permission.

📚 Related: What Is Credit Monitoring and Do You Need It? →

15. “Shoulder surfing” of your sensitive information in public

With shoulder surfing, criminals spy over your shoulder when you use digital devices in public. Their goal is to steal your personal information.

Usually, fraudsters stand at a safe distance to avoid detection. However, they can interpret finger movements as you type on a keypad. They may also use binoculars, miniature cameras, or hidden cameras to eavesdrop on you.

How to prevent identity theft via shoulder surfing:

• Physically block out scammers when entering your PIN or passwords in public. Make sure no one has a direct line of sight to the information you’re entering or to your fingers on the PIN pad. Whenever possible, find a private place to go when entering sensitive information.
• Add a privacy screen to your phone and laptop so that no one can see what you’re typing.
• Never input sensitive information into a public or shared device. This includes devices at tech stores (like the Apple store).

📚 Related: How To Avoid Refund & Recovery Scams — Don't Get Scammed Twice →

16. Dumpster diving and mail theft

Your garbage and mail can contain sensitive details that you don’t even realize are there. Credit card statements or offers and basic bills can include enough data to steal your identity. Criminals will often steal or go through your mail looking for these critical documents.

How to prevent identity theft via dumpster diving:

• Shred all sensitive bills, receipts, and documents before throwing them away. This includes sales and ATM receipts, pre-approved credit cards, insurance offers, and utility bills.
• Go paperless as much as possible to reduce the amount of mail and garbage that may include your sensitive information.

📚 Related: How To Repair Your Credit After Identity Theft →

17. Address manipulation fraud (i.e., change-of-address scams)

If identity thieves have your personal information, they can submit a change-of-address request with the United States Postal Service (USPS) and divert your mail to a different address. For example, they could change your address to one that they control and then request a replacement credit or debit card from your bank.

How to prevent identity theft via change-of-address scams:

• Go paperless with your banking and other sensitive information. It’s much safer to have account statements sent to your email, rather than your physical mailbox. ‍
• Try to pick up your mail daily or use a secure mailbox. You can also sign up for USPS Informed Delivery to receive a digital preview of items delivered to you.

Do You Think Your Identity Has Been Stolen? Do This

• Contact your identity theft insurance provider. If you have identity theft insurance, your insurer should be your first call. Aura’s team of 24/7 U.S.-based White Glove Fraud Resolution specialists will walk you through the steps of recovering from fraud and identity theft. Plus, if the worst should happen, every adult member on an Aura plan is covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
• Freeze your credit. A credit freeze stops scammers from accessing your credit file and opening new accounts. To freeze your credit, contact each of the three major credit bureaus — Experian, Equifax, and TransUnion.
• Notify your bank, credit card companies, and any place where you know fraud occurred. Ask to talk to your financial institution’s fraud department and tell them what happened. They’ll cancel your compromised accounts and cards and issue you new ones.
• File an official report with the FTC. An identity theft report with the FTC is essential to repairing the damage of identity theft. Go to IdentityTheft.gov or call the FTC at 1-877-438-4338.
• Contact your local law enforcement (optional). If you have any information that could lead to an arrest, you should contact your local police department and file a police report for identity theft.
• Notify other impacted agencies (DMV, IRS, health insurer, etc.) If you’ve lost your ID or had an online account compromised, contact those agencies and tell them what happened. For the SSA, call 1-800-269-0271. For the IRS, call 1-800-908-4490. For a stolen driver’s license, contact your local DMV office.
• Regain control of any compromised accounts, and force unfamiliar sessions to log out. Request new passwords and set up recovery email addresses wherever possible.
• Scan the Dark Web for your information, and update passwords. Use Aura’s free Dark Web scanner to see what information hackers have access to. Update any compromised accounts as soon as possible.
• Use antivirus software to remove malware from your devices. Do a full scan to find any lingering malware that could lead to future fraud.
• Replace stolen or lost IDs. If your passport was lost or stolen, you’ll need to contact the State Department or call 1-877-487-2778. Also get a replacement Social Security card if applicable.
• Dispute fraudulent transactions and repair your credit. Ask the credit reporting agencies to block information from your file resulting from identity theft. Blocking damaging information ensures that it doesn’t stay on your credit report.

📚 Related: Is Aura Worth It? Here's How To Know →

The Bottom Line: Prevent Identity Theft and Protect Your Entire Family

The damage from identity theft can be staggering. Even worse, it’s rarely a one-time ordeal. The latest data shows that almost 50% of all people who have their identities stolen are repeat victims [*].

To keep yourself and your entire family safe from identity theft, you need to be proactive. Here are a few ways you can make yourself a less-attractive target to identity thieves and cybercriminals:

• Regularly review your credit report and bank statements. Request a free credit report at annualcreditreport.com and look for unfamiliar accounts or transactions.
• Keep your SSN and other sensitive information safe. Don’t share your SSN unless it’s absolutely necessary.
• Protect your online accounts with 2FA and a password manager. Use an authenticator app like Authy or Google Authenticator to be extra safe.
• Install antivirus software and a VPN to shut out hackers. Make sure you keep your software and operating systems up to date as well.
• Avoid public Wi-Fi and keep your devices safe in public. Don’t input any sensitive information over unsecured networks.
• Sign up for identity theft protection with credit monitoring.

For added protection with minimal effort, let a trusted company like Aura do the work for you.

Aura constantly monitors your sensitive information, financial accounts, devices, and home network for signs of fraud. If anyone is trying to use your personal information for illicit reasons, Aura will notify you in near real-time and help you shut down the scammers.

Keep your identity and finances secure. Try Aura free for 14 days →