How Does Identity Theft Happen? (and How To Avoid It)

You Never Think You’ll Become a Victim of Identity Theft — Until It’s Too Late

After James Ball got mugged and was robbed of his phone and bank cards, he thought the worst was over [*]. But when the attackers forced him to hand over his passwords, PINs, and phone ID, his nightmare situation was only getting started. 

By the time Ball got home and called the police, his assailants had emptied his bank account, locked him out of his email and other accounts, and stolen his identity. 

The thought of being physically attacked is terrifying. But what’s even more scary in today’s world is how easy it is for criminals to steal your identity without even touching your physical ID, wallet, or phone.

In the third quarter of 2022 alone, the Federal Trade Commission (FTC) received a staggering 260,000 identity theft reports [*]. In many cases, even the most “digitally aware” people are getting hacked as a result of large-scale data breaches and social engineering attacks [*].

The consequences of identity theft can be severe if swift action is not taken and there are many ways it can unfold. Fraudulent emails or websites that claim to be from a legitimate company or can trick you into giving out your personal information. A data breach can purloin credit card numbers or Social Security numbers.

Or more simply, identity thieves may resort to dumpster diving or scavenge your mail for personal information.

What Is Identity Theft?

Identity theft is the fraudulent acquisition (and exploitation) of your personally identifiable information (PII) for financial gain.

PII includes your:

• Name
• Address
• Date of birth
• Phone number
• Social Security number (SSN) or your child’s SSN
• Online passwords and credentials
• Credit card numbers and other financial information

According to the FTC, victims of identity fraud lost $5.9 billion in 2021 alone [*].

Identity thieves may use your personal data to open fraudulent lines of credit, steal your tax refund, and receive medical care in your name. 

While there’s no way to be 100% protected from identity theft, staying vigilant against fraud is the best way to safeguard yourself (and your family) from scammers. 

So, how does identity theft happen? And what schemes should you be on the lookout for to keep you and your family safe?

The Most Common Types of Identity Theft 

If scammers gain access to enough of your PII, they can take over your accounts, drain your bank accounts, and ruin your credit (and reputation). 

Here are a few of the most common types of identity theft that you should be aware of:

1. Financial identity theft: Fraudsters gaining access to your bank accounts 

Financial ID theft happens when your existing financial accounts are compromised, or someone creates new accounts in your name at financial institutions. Scammers will target your online bank accounts, credit card numbers, investment accounts, and more to steal your money. 

Warning signs of financial identity theft include:

• Strange or unexpected charges on your bank account or credit card statements. 
• A sudden change in your credit score. 
• Incorrect information on your credit report — such as hard inquiries that you didn’t request, or new accounts.

2. Account takeover fraud: Hackers taking over your online accounts

Account takeover fraud (ATO) occurs when hackers gain access to your online accounts — such as your email, social media, or online banking. Depending on which accounts they gain access to, criminals can steal your money, impersonate you and scam your contacts, or find more sensitive information that they can use for fraud. 

Warning signs of account takeover fraud include:

• Not being able to log into your online accounts (especially if you know your passwords should work). 
• Friends and family saying they’re receiving strange messages from you on social media. 
• Unfamiliar messages in your email “sent” folder.

3. Tax ID theft: Fraudsters filing false tax returns or stealing your refund

Tax identity theft happens when someone uses your personal information — such as your SSN — to claim fraudulent refunds after stealing your tax return. 

Warning signs of tax ID theft include:

• You get a notification from the Internal Revenue Service (IRS) that someone has already filed a tax return using your SSN.
• The IRS or Social Security Administration (SSA) have records reflecting income from a job that you’ve never had.
• You were assigned an Employer Identification Number (EIN) that you didn’t apply for. 

📚 Related: The 13 Latest Tax Refund Scams To Be Aware Of →

4. Unemployment ID theft: Scammers claiming benefits in your name

Unemployment-related identity theft occurs when someone claims unemployment benefits with your identity. Scammers may use your driver’s license or SSN to make claims under your name, and switch the associated address or bank account information to their own. 

An official report from the U.S. Labor Department revealed that at least $45 billion might have been lost to unemployment fraud between February 2021 and September 2022 [*].

Warning signs of unemployment identity theft include:

• You receive a 1099-G tax form in the mail with incorrect information.
• You’re denied unemployment benefits due to “already” receiving them.
• You receive unexpected benefits paperwork in the mail from the government or your employer.

5. Medical ID theft: Criminals stealing your benefits and healthcare

Medical ID theft happens when someone steals your Social Security or Medicare number. Thieves will use your health insurance information to access medical services such as prescription drugs and medical procedures. They may also file fraudulent medical insurance claims in your name.

Warning signs of medical identity theft include:

• You receive bills for medical procedures or prescription drugs that you never asked for. 
• Your insurance claims are denied because “you” already used up all of your benefits.
• There are mistakes and incorrect information in your medical records.

6. Child identity theft: Scammers stealing your child’s SSN

Child identity theft happens when someone steals sensitive information belonging to a child and uses it to commit fraud. Scammers target kids due to their clean credit histories — the  identities of children offer “blank slates” for criminals to use for their scams. Over 915,000 American children were victims of identity theft between July 2021 to July 2022 [*].

Warning signs of child identity theft include:

• Your child receives credit offers in the mail or already has a credit report.
• Your child is denied government benefits or student loans. 
• Your child receives bills and collection notices for accounts they never opened or purchases they didn’t make.

17 Ways Identity Theft Can Happen

Scammers are always looking for new ways to steal your identity. Here’s how you can identify and avoid some of the most common types of identity theft.

1. Phishing, smishing, and vishing
2. Lost or stolen wallets
3. Lost or stolen phones and digital devices
4. Data breaches
5. Home burglary
6. Hackers “snooping” over public Wi-Fi
7. Dark Web marketplaces
8. Malware attacks
9. Family identity theft
10. Impostor scams
11. Synthetic ID theft
12. Weak data protection
13. Malicious websites
14. Credit card skimming
15. Shoulder surfing
16. Dumpster diving and mail theft
17. Address manipulation fraud
    

1. Phishing, smishing, and vishing scams that steal your personal information

Phishing attacks occur when cybercriminals pose as representatives from well-known companies or government agencies and trick you into either giving up personal information, sending them money, or downloading malware onto your devices. 

Phishing attacks can take place via emails, fraudulent text messages (known as “smishing”), social media messages, or phone calls (known as “vishing”). 

Scammers may also try to trick you into going to a phishing website, which is designed to look like a login page of a service you use (such as your bank or a streaming service). In reality, any credentials and passwords that you input onto these pages goes straight to the scammer. 

How to prevent identity theft via phishing attacks:

• Never click on links from texts or emails that you don’t recognize. If you need to check something related to an online service that you use, go directly to their website. 
• Don’t respond to unfamiliar texts, voicemails, or emails (even replying with “STOP” can verify to a scammer that your phone number is active).
• Use antivirus software and a virtual private network (VPN) to secure your devices and network against hackers.
• Add your mobile and home phone number to the National Do Not Call Registry and learn how to block spam texts on your mobile phone. You should also report spam texts to the Federal Communications Commission (FCC).
• Look for signs of a phishing attack, such as poor grammar and spelling, a sense of urgency (or threatening language), and unfamiliar or suspicious links. 

📚 Related: How To Tell If An Email Is From a Scammer →

2. Lost or stolen wallets 

If your wallet (or purse) is stolen, scammers can gain access to your credit cards and IDs. Even just your driver’s license can provide enough personal information for a criminal to steal your identity, as your license includes your: 

• Full name
• Home address
• Date of birth
• Signature
• Picture

Scammers can use this information to run targeted scams against you, take out loans or new credit cards in your name, or sell your data on the Dark Web. 

How to prevent identity theft from lost and stolen wallets:

• Keep your wallet, purse, and sensitive documents safe at all times. Don’t carry your Social Security card or extra credit cards with you.  
• Keep an updated list of what’s inside your wallet and check it regularly to make sure you didn’t lose a card.
• If your wallet or purse goes missing, assume the worst. Alert your state Department of Motor Vehicles (DMV), local law enforcement, banks, and creditors as soon as possible. 

📚 Related: Is Your Wallet Lost or Stolen? Do This, ASAP →

3. Lost or stolen phones and digital devices

Your phone and other digital devices are golden tickets for identity thieves. With access to your phone, cybercriminals could make unauthorized purchases using your linked credit cards, break into your email and online bank accounts, or find sensitive information, photos, and videos.  

How to prevent identity theft via lost digital devices:

• Secure your phone with “auto lock,” biometric security (such as facial recognition or fingerprint ID), as well as a strong passcode. 
• Never store passwords in your mobile browser (i.e. Safari or Google Chrome). If scammers steal your phone, they can use this to access all of your online accounts. 
• Activate the “Find My Device” feature on your digital devices immediately. This feature also allows you to remotely lock or wipe your devices if they’re stolen. 
• Assign a trusted backup number to your device. This allows you to quickly recover your accounts if your phone gets hacked. 

📚 Related: Stolen Phone? Don’t Panic! Follow These 11 Steps →

4. Data breaches that expose your passwords and sensitive data

Data breaches are the leading causes of identity theft. In 2022, 1,291 data breaches have occurred to date, representing a 16% increase from 2020 [*].

Data breaches take place when hackers break into services that you use and steal your stored information. This could include your name and email address as well as passwords, credit card numbers, and even your Social Security number (SSN).

The truth is that we will all eventually have our information leaked in a data breach. And a 2021 Aura survey revealed that 34% of Americans no longer pay attention to data breaches because they happen so often. 

But you shouldn’t ignore the true dangers of a data breach. Instead, you need to proactively protect your identity and accounts from hackers. 

How to prevent identity theft via data breaches:

• Use secure and unique passwords for every site. Only 23% Americans use a password manager for their personal accounts [*]. But this means if your password is leaked in a data breach, hackers can try it to gain access to all of your accounts. 
• If you’re worried about remembering multiple passwords, Aura’s online identity theft protection service comes with an easy-to-use password manager. 
• Add two-factor authentication (2FA) on all of your accounts, and use an authenticator app instead of SMS to receive your 2FA codes.
• Reduce the amount of personal information you share with online services. Never enter your SSN, and don’t save credit cards with e-commerce sites. 

📚 Related: The 2023 Data Breach Recovery Plan →

5. Home burglary and theft of sensitive documents

While cybercrime is the fastest growing crime in the United States [*], home theft and burglary can still put you at risk of identity theft. Your home contains sensitive documents, such as bank statements, tax documents, and your passport or other IDs. 

Even worse, in the aftermath of a break-in, you might not even notice that these documents are missing.

How to prevent identity theft via home break-ins:

• Keep sensitive documents locked away in a safe or secure office. For added protection, go paperless with your bank statements and other sensitive accounts. 
• Use a shredder to get rid of unneeded documents that contain your personally identifiable information (PII).

6. Hackers “snooping” over public Wi-Fi

Public Wi-Fi networks — such as those at coffee shops, airports, and hotels — are notoriously easy to hack. If hackers break into a network you’re connected to, they can view all of the data that you send, including emails, passwords, and account numbers. 

How to prevent identity theft via public Wi-Fi hacking:

• Use a virtual private network (VPN) to hide your data from hackers. Aura’s military-grade VPN encrypts your data, so that even if hackers break into your network, they can’t see or steal your sensitive information. 
• Avoid using public Wi-Fi networks, and use your mobile phone’s hotspot instead. If you must use a public Wi-Fi network, don’t ever submit sensitive information such as your passwords, account information, or SSN.

📚 Related: How To Tell If Your Wi-Fi is Hacked →

7. Scammers buying your information on the Dark Web

The Dark Web comprises a vast network of websites and forums that aren’t accessible through standard web browsers, and provide additional anonymity to users. Cybercriminals use the Dark Web to sell and share information that has been stolen in data breaches. 

For example, leaked credit card details or bank account logins go for an average of $120 or less on the Dark Web [*].

How to prevent identity theft via Dark Web data leaks:

• Run a Dark Web scan to see what information of yours has already been leaked. Update any leaked passwords, and enable 2FA on all of your accounts. 
• Consider signing up for an identity theft protection service with Dark Web scanning. Aura’s all-in-one digital security solution constantly scans the Dark Web and other sites for your passwords and sensitive information. You’ll be alerted in near real-time if your data has been exposed.

📚 Related: What Is Dark Web Monitoring? (Get a Free Dark Web Scan) →

8. Malware attacks (ransomware, spyware, and other viruses)

Malware is a type of cyberattack in which hackers infect your devices with malicious software that can spy on you, steal your personal information, or lock your devices until you pay the hacker a ransom. 

Many of the most common scams are really just methods for hackers to infect your devices with malware. 

For example, you might get a fake text message claiming to be from your bank saying that your account was hacked. But if you click on the link in the text message, it automatically downloads malware onto your device that gives the scammer full access to your documents and passwords. 

How to prevent identity theft via malware:

• Install antivirus software and schedule regular scans of your devices. Aura’s antivirus will identify and isolate malware before it can do damage to your device. 
• Keep your apps and operating systems updated. Hackers often use security vulnerabilities in outdated software to launch their attacks. Whenever possible, enable “auto updates” to make sure your devices are as protected as possible. 
• Never click on links in suspicious emails or text messages — especially on a work device. If you’re at all in doubt, contact your IT or security department. 

In the news: Malware attacks can happen to anyone. In 2021, JBS USA — a massive food processing company — was forced to pay $11 million to scammers who had tricked employees into installing malware on company devices [*].

9. Family identity theft that targets children and seniors

Identity thieves often target children and seniors for their scams. Children are attractive targets due to their clean credit histories, while seniors rarely monitor their credit and may be less likely to recognize scammers. 

In some cases, the identity thief could even be a family member. 

How to prevent family identity theft:

• Consider signing up for a family identity theft protection plan. Aura’s family plan includes monitoring and identity theft protection for up to five adults and children who live in the same household.
• Keep your child’s SSN and other sensitive documents safe and confidential. Don’t include them on forms, as it’s not always a requirement. Remember, the less personal data floating around, the lower the chance that a scammer can find it on the Dark Web. 
• Educate your elder family members about online scams and phishing attacks. Here’s a list of some of the most common senior citizen scams that they should be aware of.

📚 Related: Internet Safety Tips For Kids & Teens (Parents Need To Know) →

10. Impostor scams in which scammers pretend to be company or government representatives

Impersonation ID theft happens when a scammer pretends to be a representative from a company that you use or from a government agency like the IRS. 

These scammers will reach out via phone calls, emails, texts, or even in person, and try to trick you into either giving up sensitive information or sending them money.  

In 2021, the FTC received almost one million complaints about imposter scams, with victims losing $2.3 billion [*].

How to prevent identity theft via imposter scams:

• Verify the identity of anyone who reaches out to you via an unsolicited message, call, or visit. Government agencies have strict rules about when and how they can interact with you. 
• If someone calls or visits you claiming to be from a company or agency, ask for their information and then hang up or close the door. Then, call the company directly using the phone number on their website and verify the information. 
• Beware of anyone claiming to be a “tech support specialist” on social media or over email. This is a common scam that fraudsters use to either gain access to your devices or get you to send them money. 

📚 Related: The 7 Latest Geek Squad Scams (and How To Avoid Them) →

11. Synthetic ID theft 

Synthetic ID theft occurs when criminals create a “new” identity by combining your SSN and other stolen data with someone else’s (or even made up) information. This “Frankenstein” identity can then be used to open new bank accounts, take out credit, or run other scams — all with your name or SSN attached to it.

How to prevent synthetic identity theft:

• Educate your parents about digital security because elders are often targets.
• Encourage your family to use 2FA on all devices.
• Use identity theft protection to safeguard your parents and children from exposure.

12. Hackers taking advantage of weak data protection

The average American household has at least 22 connected devices [*], giving cybercriminals multiple access points to your personal data. If you don’t use a robust digital security solution, they can easily hack into your accounts or even take over your computer. 

How to prevent identity theft via weak data protection:

• Keep all of your connected devices up to date, and protect them using unique and strong passwords. Keep track of all your passwords by using a password manager. 
• Consider an all-in-one digital security solution that includes device and network protection, credit monitoring, parental controls, and Dark Web monitoring.

📚 Related: What Is Criminal Identity Theft? Should You Be Worried? →

13. Malicious websites that steal your login credentials

Not all websites are secure. Scammers will often create fake websites that look like ones you’re familiar with — such as your bank or Netflix login. If you enter your login credentials on these fake websites, they go straight to the fraudster. 

Some malicious websites are also designed to infect your device with malware. Especially dangerous websites can bypass your device’s built-in security and install viruses that search your computer for passwords and financial information. 

How to prevent identity theft via malicious websites:

• Check that any website you’re visiting uses a secure “HTTPS” connection (not “HTTP”). Look for a padlock symbol by the URL, and click on it to see who the site’s security certificate is assigned to. If it’s not the same as the company name, it could be a scam. 

• Be on the lookout for “lookalike” domain names. For example, scammers will use “Walmrat.com” instead of “Walmart.com” and hope that you won’t notice. 
• Research a website before entering your credit card details or banking information.

14. Credit card “skimming” and “shimming” devices

Fraudsters install “skimming” and “shimming” devices on vulnerable ATMs and card readers to steal your credit card account information. Scammers can then use your credit card information to make fraudulent purchases online or create “cloned” versions of your card. 

How to prevent identity theft via credit card fraud:

• Be cautious whenever you use a card reader that’s in public (such as at gas stations). 
• Sign up for a credit monitoring service that will warn you of suspicious activity. Aura constantly monitors your credit card, bank, and investment accounts for signs of fraud. You’ll get alerted in near real-time if anyone is trying to use your financial information without your permission. 

📚 Related: What Is Credit Monitoring and Do You Need It? →

15. “Shoulder surfing” of your sensitive information in public

With shoulder surfing, criminals spy over your shoulder when you use digital devices in public. Their goal is to steal your personal information. 

Usually, fraudsters stand at a safe distance to avoid detection. However, they can interpret finger movements as you type on a keypad. They may also use binoculars, miniature cameras, or hidden cameras to eavesdrop on you.

How to prevent identity theft via shoulder surfing:

• Physically block out scammers when entering your PIN or passwords in public. Make sure no one has a direct line of sight to the information you’re entering or to your fingers on the PIN pad. Whenever possible, find a private place to go when entering sensitive information. 
• Add a privacy screen to your phone and laptop so that no one can see what you’re typing. 
• Never input sensitive information into a public or shared device. This includes devices at tech stores (like the Apple store). 

📚 Related: How To Avoid Refund & Recovery Scams — Don't Get Scammed Twice →

16. Dumpster diving and mail theft

Your garbage and mail can contain sensitive details that you don’t even realize are there. Credit card offers and basic bills can include enough data to steal your identity. Criminals will often steal or go through your mail looking for these critical documents. 

How to prevent identity theft via dumpster diving:

• Shred all sensitive bills, receipts, and documents before throwing them away. This includes sales and ATM receipts, pre-approved credit cards, insurance offers, and utility bills. 
• Go paperless as much as possible to reduce the amount of mail and garbage that may include your sensitive information.

17. Address manipulation fraud (i.e., change-of-address scams)

If identity thieves have your personal information, they can submit a change-of-address request with the United States Postal Service (USPS) and divert your mail to a different address. For example, they could change your address to one that they control and then request a replacement credit or debit card from your bank. 

How to prevent identity theft via change-of-address scams:

• Go paperless with your banking and other sensitive information. 
• Sign up for USPS Informed Delivery to receive a digital preview of items delivered to you. 
• Try to pick up your mail daily or use a secure mailbox. 

📚 Related: Change-of-Address Scam: What Scammers Can Do With Your Address →

What Are the First Signs of Identity Theft? 

Identity theft can be hard to identify — especially with all of the current scams and methods available to identity thieves.

But the sooner you can spot the signs of identity theft, the better chance you have of shutting down scammers before they can do too much damage. 

If you think your identity is compromised, look for these warning signs: 

• Unfamiliar charges on your credit card or bank statements. 
• Being denied applications for new credit cards, or a sudden drop in your credit score. 
• Notifications for new cards and accounts that you didn’t sign up for. 
• Calls from creditors and debt collectors about purchases you never made. 
• Unfamiliar medical bills or notifications saying that your healthcare benefits have been maxed out. 
• Missing mail or signs that your mailbox has been tampered with. 
• Password reset emails or 2FA codes that you didn’t request. 
• You’re unable to log into online accounts using your usual password. 
• Emails alerting you about a data breach. 
• Fraud alerts from your bank or credit monitoring service.

Do You Think Your Identity Has Been Stolen? Do This!

• Contact your identity theft insurance provider. If you have identity theft insurance, your insurer should be your first call. Aura’s team of 24/7 U.S.-based White Glove Fraud Resolution specialists will walk you through the steps of recovering from fraud and identity theft. Plus, if the worst should happen, every adult member on an Aura plan is covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
• Freeze your credit. A credit freeze stops scammers from accessing your credit file and opening new accounts. To freeze your credit, contact each of the three major credit bureaus — Experian, Equifax, and TransUnion. 
• Notify your bank, credit card companies, and any place where you know fraud occurred. Ask to talk to the fraud department and tell them what happened. They’ll cancel your compromised accounts and cards and issue you new ones. 
• File an official report with the FTC. An identity theft report with the FTC is essential to repairing the damage of identity theft. Go to IdentityTheft.gov or call the FTC at 1-877-438-4338.
• Contact your local law enforcement (optional). If you have any information that could lead to an arrest, you should contact your local police department and file an identity theft report.
• Notify other impacted agencies (DMV, IRS, health insurer, etc.) If you’ve lost your ID or had an online account compromised, contact those agencies and tell them what happened. For the SSA, call 1-800-269-0271. For the IRS, call 1-800-908-4490. For a stolen driver’s license, contact your local DMV office.
• Regain control of any compromised accounts, and force unfamiliar sessions to log out. Request new passwords and set up recovery email addresses wherever possible. 
• Scan the Dark Web for your information, and update passwords. Use Aura’s free Dark Web scanner to see what information hackers have access to. Update any compromised accounts as soon as possible.
• Use antivirus software to remove malware from your devices. Do a full scan to find any lingering malware that could lead to future fraud. 
• Replace stolen or lost IDs. If your passport was lost or stolen, you’ll need to contact the State Department or call 1-877-487-2778. Also get a replacement Social Security card if applicable.
• Dispute fraudulent transactions and repair your credit. Ask the credit reporting agencies to block information from your file resulting from identity theft. Blocking damaging information ensures that it doesn’t stay on your credit report.

Related: How To Prevent Identity Theft From Ruining Your Life in 2023 →

The Bottom Line: Prevent Identity Theft and Protect Your Entire Family

The damage from identity theft can be staggering. Even worse, it’s rarely a one-time ordeal. Almost 30% of all people who have their identities stolen are repeat victims [*].

To keep yourself and your entire family safe from identity theft, you need to be proactive. Here are a few ways you can make yourself a less-attractive target to identity thieves and cybercriminals:

• Regularly review your credit report and bank statements. Request a free credit report at annualcreditreport.com and look for unfamiliar accounts or transactions.
• Keep your SSN and other sensitive information safe. Don’t share your SSN unless it’s absolutely necessary.
• Protect your online accounts with 2FA and a password manager. Use an authenticator app like Authy or Google Authenticator to be extra safe. 
• Install antivirus software and a VPN to shut out hackers. Make sure you keep your software and operating systems up to date as well. 
• Avoid public Wi-Fi and keep your devices safe in public. Don’t input any sensitive information over unsecured networks. 
• Sign up for identity theft protection with credit monitoring. 

For added protection with minimal effort, let a trusted company like Aura do the work for you. 

Aura constantly monitors your sensitive information, financial accounts, devices, and home network for signs of fraud. If anyone is trying to use your personal information for illicit reasons, Aura will notify you in near real-time and help you shut down the scammers. 

Keep your identity and finances secure. Try Aura free for 14 days →