In the overwhelming majority of identity theft cases (we’ve seen as high as 84% in some studies), the victim is the first to discover that their identity has been stolen and used by a bad actor (when the victim isn’t first it’s predominantly banks or law enforcement). This means it’s most likely that you’ll be the first to identify it and subsequently burdened to be the first to respond – you won’t get the call from someone of authority who will suggest how to help, fortunately we’ve also made a checklist to jump onto if this ever happens to you.
This article goes hand in hand with our Checklist: What to do when identity theft strikes. The linked checklist outlines the typical flags & indicators of identity theft as well as what you should do in response if you are a victim. As such these topics won’t be covered in this article – we recommend you read the checklist after reading this article and consider downloading it so you have it on hand more readily.
Identity theft defined
Identity theft is when your personal, financial or other sensitive information is used without your permission typically to commit frauds or crimes in your name. The type of information required to commit identity theft includes this list detailed in our recent article on what bad actors want.
Simply put though it involves personal identity information (name, address, date of birth, etc) typically found on government issued identity documents (drivers’ licence, passport, etc) and financial information (bank account / credit card numbers, insurance policy numbers, etc).
Such information can be gained through:
- Direct communication or cold calling including posing as customer support or a representative from a company you do business with. Being an unsolicited call bad actors will go to great lengths to appear legitimate even asking if you accept the standard ‘calls may be used for training or coaching purposes’ disclaimer.
- Physically stealing identity documents (break & enter, mailbox theft, digging through rubbish bins, etc)
- Phishing and other similar online scams such as posting bogus job listings to gain resumes
- Data breaches of organisations and government departments that hold your private information
- Accessing your device/s (phones, laptops, USB sticks, servers, etc) this could be through breaching it directly (hacking it), theft, or finding lost or discarded devices which were not wiped prior to being thrown out
- Exploiting standard account verification questions (eg. ‘What is your mother’s maiden name?’)
- ‘Shoulder-surfing’ which refers to listening in for private information in crowded public places
- Befriending you online in a social or romantic setting to build trust until you eventually share personal information to your new ‘friend’
- Collating information posted publicly to social media sites
- Infect your device/s with purpose made malware
The typical frauds or crimes which can be committed include:
- Make purchases with existing or take out new credit cards
- Use your health insurance to get medical care or make bogus claims
- Open new accounts in your name (such as phone or utilities) or open legal entities in your name (various trust, corporation, or company structures) to launder money through
- Steal your tax refund or funds held in your account/s
- Pose as you if they get arrested
- Child identity theft is also on the rise which involves stealing the identity of a minor which typically isn’t discovered until the victim reaches adult age and applies for credit.
- Deceased identity theft also exists whereby bad actors collate death notices or gravestone / funeral information to exploit the delay between the victim’s passing and the closure of their accounts. The latter is rarely attended to early as their family is grieving and organising the funeral, not closing accounts or attending to similar formal matters, during this time.
The consequences of all this to the victim are quite obvious but read this list from one of our recent articles as it also includes some consequences you may not have considered.
Prominent targets of Identity theft
By no means is this an exhaustive list but that’s not the intention (as we are all targets to varying degrees), these are simply the more prominent targets for identity theft. You may not fall into any group or numerous groups:
- High-income earners: As they have more wealth for the bad actor to access and exploit. This also applies to high-net-worth individuals who may not be earning a high income but still have substantial liquidity (such as retirees or those benefiting from a sizable inheritance).
- Elderly: As they are perceived as being overly trusting and not tech savvy making them more likely to fall victim to phishing scams and other nefarious methods used to steal identity information
- Children: As outlined above regarding ‘child identity theft’ but also by being generally less sensitive to threats, knowledgeable of scams, and more trusting compared to adults
- Young adults: As they are seen to be naïve when it comes to good cybersecurity practises and/or overly confident in their technological prowess believing ‘it won’t ever happen to me’
- Highly active social media users: As they often post not only information but photos of their houses, cars, lifestyles, etc. There is simply more data generated by this group for bad actors to collate and exploit
- Military service people: Whilst they’re deployed abroad, they may not be able to keep a close eye on or otherwise respond to the security of their information in a timely manner
- Culturally & linguistically diverse people: As they may lack the ability to adequately respond to or report their experiences due to language barriers. Depending on where they live there may also be a lack of government support services for people with these and similar diverse backgrounds.
If someone you care about or know falls into the above categories, it might be worth sitting down with them and discussing their cybersecurity habits. Don’t forget of course that virtually everyone is a target because the gains from identity theft aren’t exclusive to financial gain.
Other target groups
It’s also worth noting that in many studies the 25-44 age group tops the list of identity theft reports. However, that doesn’t necessarily mean they’re the most at-risk group but rather that they have the highest likelihood to formally report identity theft. From the list above, it’s easy to identify a few groups that would have difficulty, confidence, or reluctance to formally report.
We’d also include that low-income earners are also not immune from being targeted for identity theft. The reason being is that because they possess fewer assets and lower incomes it may be easier for bad actors to entice them to provide identity documents through finance-based frauds. People under financial hardship are targeted by scams promising reduced rate debt transfers or refinancing offers.
Females are also more likely to be targeted by identity thieves as they are viewed as easier to convince by forceful or threatening scams, messages, or conversations. Their surnames can be changed via marriage, and they are seen as more meticulous keepers of documentation than males.
From the above lists have a think how many target groups you fall into? From there, have a think about how many target groups your entire household falls into? As we said earlier – we are all targets, just to varying degrees.
How to reduce the risk of identity theft
Our checklist linked here outlines the various flags and indicators of identity theft and what you should do if you fall victim. Below we’ve listed some precautions to take to reduce your risk of identity theft, it is a large list but some items won’t apply to everyone, others are related to infrequent events, and some are ideally already part of your regular habits.
- Close all unused accounts especially bank, social media, email, online shopping and loyalty accounts. Through the process you should have the option to request the company deletes their stored information about you before formally closing the account.
- Use a PO Box or lock on your mailbox to ensure physical mail isn’t stolen. Collect mail from your mailbox daily and if you’re away from home have a family member do it or consider a hold on your mail for the time you’re away.
- Secure sensitive documents in a safe, lockable filing cabinet, or shred them (confetti cut shredder is best). For digital files or documents save them in encrypted form and ideally in a secure location (don’t leave them sitting on your desktop or in your inbox)
- Only provide the bare minimum information required when interacting online, purchasing items, or opening up accounts
- Thoroughly research any company that you need to transmit sensitive documents to. Small businesses, such as real estate agencies, are the ones to apply this to most rigorously. This is because they typically have less procedures, staff training, secure storage infrastructure, and just a generally reduced risk awareness to ensuring your sensitive documents are handled appropriately
- Don’t share passwords or account access keys online by email, chat bot, SMS, or by phone. Legitimate businesses won’t identify you by asking for this type of information, bad actors will.
- If you are suspicious of a phone call, ask for a phone number and reference number to call the business back later. Research the legitimacy of the phone number (that it matches the official business number) and the business’s relation to you. If it everything is above board call back later, legitimate businesses won’t have issue with this as people can be busy when they call so suggesting that you will call back later is a standard response to them.
- Don’t share personal information with strangers or people you’re not comfortable with yet (such as a new romance). Networking events, weddings, parties, and dates are situations where even simple questions can lead to answers which expose private information. Likewise for entering competitions or completing surveys in public places such as shopping malls – you don’t know how securely your information will be stored when recorded physically on pieces of paper in these settings.
- Related to the point above workplaces are environments where people are more relaxed, comfortable, and trusting of their colleagues. Be conscious how much you share with work colleagues and store your handbag / wallet securely. Speak to your boss about how securely the company stores personnel files and report cases of information snooping by a colleague if it appears unwarranted.
- Carry limited cards in your wallet so if you lose your wallet there is less to cancel and less for the person who picks it up to do damage with
- Research and consider taking out:
- Identity and / or credit monitoring services
- Identity theft recovery services
- Identity theft insurance
- Take yourself off any marketing lists, opt out of ‘Sharing Your Information’, and unsubscribe from newsletters you’re no longer interested in. Through the process you should have the option to request the company deletes their stored information about you before closing the account.
- When you sell, pass on to someone, or dispose of any electronic device such as a laptop, computer, or mobile phone do a full wipe of the machine. Deleting or removing sensitive documents or images isn’t enough, you must format the hard drive. Similarly, when selling or trading-in a car, remove all GPS history – especially if your address is stored in the ‘take me home’ function.
- When you move house, redirect your mail for one year to ensure you don’t miss changing your details with those who send infrequent mail
- Monitor your credit rating and bank statements regularly and investigate any concerning or unusual records or changes to your credit rating
- If a breakup or divorce is likely ensure you change all your passwords and consider changing bank accounts as well
- When your house is broken into the focus tends to be identifying which possessions with resale value are missing (jewellery, cameras, etc). Following a burglary, don’t forget to check for missing identity documents as well.
- Use a bogus signature for courier or postal delivery, in many countries there is no legal requirement to use your legitimate signature for courier or postal delivery (but do check your local laws to be sure)
We would also recommend reading our How To Guide on shopping online privately, namely the recommendations listed under ‘Part One: Protect your data’
The standard good cybersecurity practises also apply to help protect against identity theft:
- Use a VPN
- Use reputable antivirus / antimalware software
- Ensure your software is up to date
- Avoid public Wi-Fi
- Be aware and conscious of identifying phishing scams
- Set up 2FA on all accounts with the capability
- Ensure you use strong, unique passwords
- Use an email provider known for strong security and ensure your email is never a treasure trove of personal information. Delete receipts from online purchases once they arrive and you’re happy with them. If you need to keep a record for warranty purposes, store it securely or print it out and lock it away.
- Tighten your social media privacy settings and don’t accept friend requests from people you don’t know
Identity theft isn’t a problem that’s easily addressed by simply purchasing a certain piece of software as the threat isn’t exclusive to the online world. Identity theft existed long before mass adoption of the internet, the proliferation of the internet has just created new ways for identity to be stolen.
Between the precautions listed in this article and our identification and response checklist there is a strong theme present:
Reduce the amount of data that you generate or that is generated about you
This is the best approach as it’s preventive rather than reactive – if the data doesn’t exist in the first place it can’t be found, accessed, and exploited. It’s too easy in this day and age to sign up to every website or newsletter that mildly interests us. It’s too easy to open large amounts of accounts, have large amounts of apps on our phones, and generally move our lives online for perceived convenience. We don’t see the volumes of data this creates, nor do we know how securely it is stored. Moving forward, try being more sceptical or resistant to data generation, ask yourself ‘do I really need to open an account here?’ ‘Do they really need this information about me?’
Obviously, we can’t point the finger strictly at the rapid reliance of life on the internet as the main culprit because as we said – identity theft was around before the internet. This is where the reactive actions come into play because it would be naïve to suggest you can avoid data generation in this day and age altogether. The theme in relation to this throughout this article and checklist has been:
Necessary data must be secured and protected (and it’s up to you)
You need to get your utility bills so ensure your mailbox is lockable or you use a PO Box. You need keep important documents at home so ensure they’re locked in a safe. You need to have a smartphone so ensure it’s secured and protected. You need to have email so ensure you use one known for strong security. We think you get the idea, for everything that you can’t avoid using that generates data about you or holds your personal identity information – apply the highest security and protection tools available to you.
Goode, Sigi (2017) ‘Identity theft and Australian telecommunications: Case analysis’, Australian Communications Consumer Action Network, Sydney
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.