IDENTITY THEFT

Identity theft is a crime in which someone wrongfully obtains and uses another person’s personal data in some way that
involves fraud or deception, typically for economic gain.
Identity thieves use personal information to steal people’s identities. Such personal information might
include a person’s name, government identification number, date of birth, home address, email address,
mother’s maiden name, telephone number, and other identifying information. Identity thieves can exploit
this information in a number of ways, including by opening bank or credit card accounts, taking over
existing accounts, or obtaining loans in a victim’s name without the victim’s knowledge.
Perpetrators of Identity Theft
Unlike fraudsters who steal because of a perceived need, many identity thieves make a living stealing
identities for profit or as a way to supplement their incomes. Although identity thieves can be
employees, friends, or relatives, they are frequently members of organized crime groups,
Identity theft, however, can be committed by anyone. Perpetrators of identity theft are sometimes the
victim’s coworkers. In cases involving business identity theft, the perpetrator is often one of the
company’s employees, vendors, or business associates. People trying to hide their criminal records
also engage in identity theft.
Victims of Identity Theft
Identity theft can happen to anyone. The following groups, however, are favorite targets of identity
thieves.
Children
Identity thieves target children because children have no credit histories and neither the child nor the
child’s parents are likely to monitor the child’s credit information. This gives the identity thief plenty of
time to build the child’s credit, open accounts, and then abscond with as much money as possible. Many
of the children will not discover that their credit is ruined until they enter the workforce or apply for
credit. Family members often perpetrate child identity theft.

Senior/aged citizens
Identity thieves target seniors because, compared to younger victims, seniors often have more available
cash, check their credit reports less frequently, and are less aware of identity theft and other fraud.
Family members and other caregivers often defraud seniors, particularly when they live in residential
facilities or have diminished mental capacity.
Generally, seniors are less likely to report identity theft than younger victims.

Military/diaspora residents
There are several factors that make members of the military vulnerable to identity theft. Military
members are often deployed overseas for long periods of time, making it difficult for them to monitor
their credit. For this reason, it is common for identity theft against military members to go undetected
for years. In addition, military members sometimes have special needs, such as health problems, which
can be exploited by fraudsters.
Diaspora residents on the other hand too take long to check on their portfolios/accounts. This is a
loophole exploited by

College Students
College students are a favorite target of identity thieves because they are inexperienced in using and
managing credit. Many college students are not concerned about identity theft or other types of fraud
and therefore do not take steps to protect themselves. Furthermore, most college students do not
check their credit reports frequently.

The Deceased
Fraudsters often steal deceased individuals’ identities. The obvious advantage is that the deceased do not
monitor their credit. Additionally, family members might forget to inform creditors of the death, so the
deceased person’s financial accounts remain open. Identity thieves can collect full names and birthdates
from tombstones or obituaries, and they can then use various methods to obtain more personal
information about the deceased, such as calling the funeral home and impersonating a family
member
Methods of Committing Identity Theft
There are two general methods of committing identity theft:
 Traditional identity theft
 Synthetic identity theft

Traditional Identity Theft

In traditional identity theft, a fraudster steals an individual’s personal information and pretends to be that
individual. For example, a fraudster might use an individual’s name, government identification number,
and date of birth to impersonate the individual and gain access to the individual’s bank account. This is
called an account takeover. In an account takeover, the fraudster typically changes the address associated
with the account so that the victim does not receive immediate notice of new activity.
Another type of traditional identity theft is true name fraud, in which a fraudster uses an individual’s
personal information to open a new account in the individual’s name. Unlike an account takeover,
which involves an existing account, true name fraud involves a new account.
Synthetic Identity Theft
Unlike traditional identity theft, synthetic identity theft involves the use of a fictitious identity. A fraudster
might use entirely fabricated personal information or a combination of real and fabricated information to
create a new identity.
Fraudsters often use children’s government identification numbers to commit synthetic identity theft.
This is because neither the child nor the child’s parents is likely to monitor the child’s credit, which gives
the fraudster time to complete the scheme without detection.
Even when an adult’s personal information is used, synthetic identity theft can be difficult to detect
because the fraud might not appear on the individual’s credit report, or it might only appear in a sub-
file.

Types of Identity Theft Schemes

This section discusses the most common types of identity theft schemes.

Financial Identity Theft

Financial identity theft occurs when a fraudster uses an individual’s personal information for
fraudulent financial transactions. Examples of financial identity theft include:
 Using an individual’s stolen credit card or credit card number to purchase goods
(account takeover)
 Impersonating an individual to gain access to the individual’s bank account
(account takeover)
 Using an individual’s personal information to open a new credit card account
(true name fraud)

Most identity theft involves accessing existing financial accounts or creating new financial accounts.
Therefore, most identity theft is financial identity theft.
Criminal Identity Theft
Criminal identity theft occurs when fraudsters falsely identify themselves as other people to law
enforcement while being arrested or investigated for a crime. The crime is then incorrectly
attributed to the other person instead of the fraudster.
Criminal identity theft is usually discovered when the victim is pulled over by law enforcement,
attempts to renew a driver’s license, or authorizes a criminal background check. Victims of criminal
identity theft are at risk of arrest until their criminal records are corrected. Moreover, victims
might be terminated or not hired for jobs in which criminal background checks are required.
 Medical Identity Theft
Medical identity theft occurs when a fraudster uses another person’s identity to obtain medical care,
prescription drugs, or payments from the government. The following are examples of medical
identity theft:
 A fraudster uses a victim’s stolen driver’s license and health insurance card to obtain
prescription painkillers from multiple pharmacies.
 A pregnant fraudster uses a victim’s stolen health insurance information to obtain maternity care at a
hospital.
 A fraudster uses a victim’s personal information to file claims for government disability
benefits.

Medical identity theft can have dire consequences for the victim’s health. Often, the victim’s medical
records are contaminated by the imposter’s medical records, which can result in increased cost for
medical insurance, denial of medical benefits, misdiagnosis, delayed or improper medical treatment, or
even death.
Medical identity theft can be difficult to detect. Victims might not realize they have been defrauded
until they are billed for medical services they did not receive or discover unpaid medical bills on their
credit reports. In other cases, victims learn of the fraud when they are denied medical insurance
benefits.

Insurance Identity Theft

In an insurance identity theft scheme, a fraudster impersonates another person to obtain insurance
coverage or benefits. If the scheme involves medical insurance, it can also be classified as medical
identity theft. However, not all insurance identity theft schemes involve medical insurance. Fraudsters
can use identity theft to obtain benefits under many other types of insurance policies, including
automobile insurance, homeowner’s and rental insurance, life insurance, and liability insurance.
Tax Identity Theft
In a tax identity theft scheme, a fraudster uses another person’s identity to file a tax return and
obtain a refund from the government.
Employment Identity Theft
In an employment identity theft scheme, a fraudster impersonates another person to secure a job. Fraudsters often
commit this type of identity theft because they are not legal citizens or a background check would reveal
disqualifying information about them. For most victims of employment identity theft, the government
provides notice of the fraud.
For example, the government might inform the victim that there are taxes owed for unreported wages or that
multiple tax returns have been filed under the victim’s government identification number. Another red flag is a
credit report that contains the name of an unknown employer.
Business Identity Theft
While individuals are the usual targets of identity theft, identity thieves sometimes target businesses.
Business identity theft occurs when a fraudster impersonates a business to commit financial fraud.
In addition to impersonating an existing business, fraudsters can use government business filings to
reinstate a closed or dissolved business. They can also trick third parties by creating a new business
with a name similar to an existing business.
For identity thieves, there are a number of reasons to target a business rather than an individual. First,
the potential rewards are greater; businesses tend to have larger bank account balances, easier access to
credit, and higher credit limits than individuals. Second, businesses are less likely to notice new or unusual
financial transactions because they tend to engage in more transactions than individuals. Finally, the
information necessary to commit business identity theft (e.g., business or tax identification numbers) is
often publicly available online or in government records.
Small businesses are particularly at risk for business identity theft because they have the lines of credit,
capital, and other features desired by fraudsters, while often lacking the resources and technology needed
to properly defend against identity theft. Smaller companies and individually owned businesses often rely
heavily on the owner’s personal credit, making the impact of business identity theft even more
destructive. Furthermore, small businesses might be especially wary of revealing identity theft out of
fear that consumers will take their business to a larger company that ostensibly offers an increased
level of data security.

How Identity Thieves Steal Information

Identity thieves use a number of methods to steal personal and business information. Some of the
methods, such as computer hacking, are complex and involve high technology. Other methods, such as
dumpster diving, are simple and do not require great skill.
Dumpster Diving
Dumpster diving involves looking through someone else’s trash. Fraudsters often engage in dumpster
diving to find the personal and business information that makes identity theft possible.
Most people do not destroy their personal financial data; they simply throw it away with the rest of
their trash. Dumpster diving can yield bills, credit card receipts, bank statements, and other items that
contain a person’s name, address, and telephone number. Solicitations for pre-approved credit cards are
especially valuable to identity thieves, but even nonfinancial information can be useful. For example, a
discarded birthday card might contain a potential victim’s name, birthdate, and address.
In addition to targeting people’s trash, identity thieves target the trash of businesses, such as banks,
insurance companies, and hospitals. A business’s trash can contain sensitive information about the
business, as well as its customers.

Discarded Devices
Fraudsters commonly obtain personal and business information from improperly discarded computers,
media drives, copiers, printers, mobile phones, and other devices. Like computers, some copiers and
printers have internal hard drives that store sensitive data.
Because it is possible to recover deleted data, fraudsters might search for sensitive information on
second-hand devices they purchase online or obtain from another source. Data can be permanently
erased from such devices with specialized software.
Mail Theft
Mail theft is another method that identity thieves use to obtain personal and business information.
Fraudsters can steal mail from public mailboxes or the private mailboxes of individuals and businesses.
Private mailboxes are often unsecured, making mail theft easy. Public mailboxes usually have security
features, such as locks and specially designed mail slots, but determined thieves can circumvent these
features. In addition, mail carriers and other postal workers are sometimes accomplices in mail theft
schemes.
Both incoming and outgoing mail can provide useful information for identity thieves. Incoming mail
might contain bills, financial statements, insurance information, or solicitations for pre-approved credit
cards. Outgoing mail often contains checks or other payments, along with statements that include the
customer’s account, bank, or credit card number. A lucky fraudster might even find a money order in
outgoing mail.
Change of Mailing Address
Another way to obtain personal or business information is to surreptitiously change the victim’s mailing
address (or email address) to an address selected by the identity thief. In this way, the identity thief
receives the victim’s mail directly, and no theft is required. The purpose of the fraud was to obtain
the personal information necessary to commit identity theft. But fraudsters also change victims’
addresses for another purpose—to conceal identity theft.
When an account takeover occurs, for example, the fraudster changes the mailing address (or email address)
to which monthly statements are sent. This can delay the victim’s discovery of the fraud.
Shoulder Surfing
Shoulder surfing is the practice of observing another person (e.g., looking over the person’s shoulder) to
gather personal information. Shoulder surfing is especially effective in crowded areas where a fraudster
can stand close to a victim without being noticed. While in close proximity, the fraudster can
eavesdrop on the victim’s telephone conversation, view the victim’s credit card number, or gather other
personal information. Identity thieves often watch victims as they enter their personal identification
numbers (PINs) at automated teller machines (ATMs) or fill out bank deposit slips at their banks.

Piggybacking
Piggybacking is a method used to gain access to restricted areas, including computer systems, in which
the fraudster exploits another person’s access capability. Examples of piggybacking include:
 Following an authorized person into a restricted area, either surreptitiously or by
convincing the authorized person that the piggy backer is also authorized
 Pretending to be a member of a large crowd of people authorized to enter a
restricted area
Piggybacking can also be used to gain access to a company’s secured computer network. Piggy backers
might access a computer network while an authorized user is distracted, or they can take advantage of
the user’s failure to properly log out of the network. In addition, piggy backers might convince
authorized users to share their computer log-in information.
Social Engineering
In the context of identity theft, social engineering refers to the psychological manipulation of people
to trick them into revealing personal or business information. Social engineering exploits the natural
tendencies of humans to be cooperative and to trust others. After researching a victim, social
engineers often impersonate someone the victim can trust, such as an authority figure or a
business associate.

Social engineering often involves pretexting, the act of using an invented scenario (i.e., a pretext) to
persuade a person to release information or perform an action. Identity thieves often engage in
pretexting by impersonating the victim’s bank or another financial institution with which the victim
has a business relationship. In addition, pretexts commonly impersonate:
 Government employees
 Law enforcement or court personnel
 Representatives of the victim’s Internet service provider (ISP)
 Strangers in need of help

If the target is a company, pretexters might impersonate the company’s high-level employees, IT
professionals, or legal department. They might also pretend to be the company’s customers or
vendors.
 Additional discussions of social engineering can be found in the “Computer and Internet Fraud” and
“Theft of Data and Intellectual Property” chapters of this section of the Fraud Examiners
Manual.

Phishing
Phishing is a type of social engineering. In modern phishing schemes, fraudsters use electronic
communications to impersonate trusted individuals or entities. Phishers typically use emails to direct
Internet users to websites that look like legitimate e-commerce sites, such as online banks, retailers,
or government agencies. Phishers actually control these sites and use them to steal sensitive
information, such as bank account details and passwords.
Vishing
While phishing uses emails to obtain information for identity theft, vishing (or voice phishing)
schemes use telephone calls or voice messages to trick targets into revealing personal or
business information. A more detailed discussion of vishing can be
found in the “Computer and Internet Fraud” chapter of this section of the Fraud Examiners
Manual.

SMiShing
SMiShing refers to the use of text messages (also known as short message service or SMS) to trick
targets into revealing personal or business information. SMiShing is discussed in more detail in the
Pharming
In a pharming scheme, Internet users are automatically redirected from a legitimate website to an
imitation website. The users then unknowingly provide information to identity thieves through the
imitation website. A more detailed discussion of pharming can be found in the “Computer and
Internet Fraud”

Baiting
In a baiting scheme, fraudsters leave malware-infected USB flash drives, CD-ROMs, or similar items
in places where people will find them, such as parking lots. The items often have a label
designed to elicit curiosity or greed in the victims (e.g., “FREE PRIZE”).
Alternatively, the item could be left in a workplace break room with a label that seems
relevant (e.g., “Year-End Report”). When the item is inserted into the victim’s computer, the
computer or network is infected, giving the identity thief access to information.

Credit Card Skimming

In credit card skimming schemes, fraudsters use skimming devices to surreptitiously scan and store
credit card numbers. This information can then be sold to identity thieves or used to commit
identity theft directly. Identity thieves can use the numbers to make online purchases or to
create fake cards for in-store transactions.
Malware
Identity thieves use malware to steal personal and business information from computers. The type
of malware most commonly associated with identity theft is spyware, software that collects and
reports information about a computer user without the user’s knowledge or consent. The presence
of spyware is typically hidden from the user and can be difficult to detect. Spyware can perform
many different functions, including harvesting private information.

Computer Hacking and Data Breaches

Computer hacking refers to the use of technology to gain unauthorized access to sensitive
information on a computer system. Computer hackers target companies’ computer networks for a
number of reasons.

If the personal information of a company’s customers is compromised, this is known as a data

breach. Personal information stolen in data breaches is often sold on illegal trading websites, where
criminals from around the world buy stolen credit card numbers, government identification
numbers, and other sensitive information. Sometimes, the company is not aware that a data breach
has occurred until it is notified that its information is for sale on such websites.

Computer hacking is discussed in more detail in the “Computer and Internet Fraud” chapter
of this section of the Fraud Examiners Manual.

Malicious Insiders
There are different kinds of insiders, including employees, business associates, relatives, and friends,
all of whom might have access to sensitive information. Insiders often play a key role in identity
theft. Some insiders steal information to further their own identity theft schemes, while others
are paid by criminals to steal the information.
Methods of Preventing Identity Theft

Identity Theft Prevention for Individuals

The following are some of the steps individuals can take to protect their personal information and
prevent identity theft:
 Do not give out government identification numbers unless absolutely necessary.
 Do not carry government identification cards (or numbers) in purses or wallets.
 Create complex passwords or passphrases that are at least eight characters in length and
contain upper- and lowercase letters, numbers, and symbols.
 Do not reuse passwords. Use a different password for every website, account, or device.
 Never send personal information, such as a password or government identification
number, via email. Reputable organizations will not request personal information by
email.
 When available, use biometric authentication (e.g., fingerprints, voice recognition).
 Create unique answers for security questions. Do not choose answers containing personal
information that is publicly available (e.g., name of high school, mother’s maiden
name).
 Protect computers with strong and regularly updated firewall and antivirus software, and
promptly install all security updates and patches.
 Avoid suspicious websites.
 Delete messages from unknown senders without opening them.
 Only download software from trusted websites.
 Avoid using unsecured, public Wi-Fi networks.
 Limit the amount of personal information shared on social media.
 Use software to permanently erase all data from hard drives before disposing of
computers, smartphones, copiers, printers, and other electronic devices.
 Secure physical mailboxes with a lock, check physical mail regularly, and instruct the post office
to suspend mail during vacations.
 Shred all sensitive documents.
 Opt out of unsolicited offers for pre-approved credit cards or other lines of credit.
 Pay attention to billing cycles and review all bills and statements.
 Check credit reports regularly.
Identity Theft Prevention for Businesses
Any business that collects personal information from its customers or employees is a
potential target of identity thieves. Fraudsters want to steal that information and use it to
commit identity theft. Therefore, businesses must have procedures in place to protect any
personal information in their possession.

The following are some of the steps businesses can take to protect personal information and
prevent identity theft:
 Limit the personal information collected from customers. For example, do not collect
customers’ government identification numbers unless there is a legal requirement to
do so.
 Restrict employees’ access to the personal information of customers and coworkers.
 Use network-security tools to monitor who accesses personal information.
 Do not retain personal information for longer than necessary.
 Adopt an information-handling policy that governs how personal information is stored,
protected, and disposed of. Strictly enforce the policy, and discipline employees who
violate it.
 Conduct regular employee training regarding the company’s information-handling policy
and best practices for preventing identity theft.
 Ensure the security of buildings by using locks, access codes, and other security features.
 Keep physical documents containing personal information in locked rooms or locked
file cabinets.
 Secure all computer networks and electronic information.
 Use encryption to protect all personal information stored by the company or sent to
third parties. Encryption should also be used to protect information sent over the
company’s wireless network.
 Restrict the use of laptops to those employees who need them to do their jobs.
 Require employees to use complex passwords or passphrases.
 Where permitted by law, perform background checks on prospective employees.
 Thoroughly investigate contractors and vendors before hiring them.
 Do not use government identification numbers as employee identification numbers or
print them on paychecks.
 Perform regular audits of information-handling practices, network security, and other
 internal controls.
 Create a data breach response plan.
How to Respond to Identity Theft
Victims of identity theft should take the following actions:
 File a police report with local law enforcement authorities, and keep a copy of the report.
Many banks and credit agencies require a police report before they will acknowledge that
identity theft has occurred.
 If a wallet or purse was stolen, immediately cancel all credit and debit cards and get
replacements.
 Put a stop payment on all lost or stolen checks.
 Request a copy of all credit reports and review them for unauthorized account activity.
 Report unauthorized charges and accounts to the appropriate bank, credit card company,
or credit reporting agency immediately by phone and in writing.
 Change account numbers or close accounts that are affected by the fraudulent activity.
 Contact all credit reporting agencies to have a security alert or freeze placed on credit
reports.