How Identity Theft Happens and the Steps That Prevent It

In 2022, Identity Fraud Cost Americans $10.3 Billion — a 44% Jump in One Year

The FTC received 5.7 million reports of fraud and identity theft in 2022, with identity theft complaints alone exceeding 1.1 million. The financial losses from identity fraud reached $10.3 billion — the highest ever recorded, according to the FTC's Consumer Sentinel Network. These numbers represent not just financial harm but also thousands of hours spent by victims disputing fraudulent accounts, correcting credit reports, and navigating bureaucracies that were not designed to efficiently restore stolen identities. Identity theft is not a single crime; it is a spectrum of techniques that share one goal: acquiring enough personal information to impersonate someone else for financial or other gain.

The Primary Attack Vectors

Identity thieves rarely operate with pickpockets and dumpster-diving alone (though both occur). Modern identity theft is predominantly digital, and the methods are well-documented.

Phishing remains the most common initial access technique, responsible for approximately 36% of data breaches according to Verizon's Data Breach Investigations Report. Spear phishing — personalized attacks using publicly available information from social media — dramatically improves success rates over generic lures. A targeted email referencing a recent transaction, employer name, or recent event produces far higher click-through rates than mass-blast phishing.

Data breaches supply criminals with millions of records simultaneously. The 2017 Equifax breach exposed Social Security numbers, birth dates, and addresses of 147 million Americans — essentially the full dossier needed to open credit accounts. Stolen credentials from breaches are sold in bulk on dark web marketplaces; prices range from under $1 for individual login credentials to several hundred dollars for complete identity packages.

Categories of Identity Theft

• Financial identity theft: Using stolen credentials to open credit accounts, take out loans, or drain existing accounts. The most common category.
• Tax identity theft: Filing a fraudulent tax return using someone else's SSN to claim their refund before the legitimate filing. The IRS flagged 1.1 million suspicious returns in 2022.
• Medical identity theft: Using someone's insurance credentials to obtain healthcare or prescription drugs. Particularly difficult to detect and potentially dangerous if fraudulent records alter medical histories.
• Synthetic identity fraud: Creating a new identity by combining a real SSN (often from a child or deceased person) with fabricated name and address data. Particularly hard to detect because no real victim notices unusual activity.
• Account takeover: Seizing control of existing accounts via stolen credentials, SIM swapping, or security question exploitation — then using them to make purchases or as pivot points to access linked accounts.

The Synthetic Identity Fraud Problem

Synthetic identity fraud is the fastest-growing type of financial crime in the United States, according to the Federal Reserve. Unlike traditional identity theft where a victim eventually discovers fraudulent accounts, synthetic fraud uses identities that don't correspond to a living, monitoring person. Fraudsters build credit profiles slowly over 12–24 months — making small purchases and paying them off — before a "bust-out": simultaneously maxing out all available credit and disappearing. The average synthetic identity fraud loss per case exceeds $15,000, and banks lose an estimated $6 billion annually to this form of fraud.

Prevention: What Actually Works

The most effective single action is a credit freeze (security freeze) with all three major bureaus — Equifax, Experian, and TransUnion — plus NCTUE, PRBC, and Innovis. A freeze is free, prevents new credit accounts from being opened, and does not affect existing credit or credit scores. Unlike credit monitoring, which notifies you after fraud has occurred, a freeze prevents most new-account fraud from happening at all. Freezing a child's credit file is particularly recommended since children's SSNs are frequently used in synthetic identity schemes that remain undetected for years.

• Use unique passwords + password manager: Reused passwords mean one breach compromises all accounts. A password manager generates and stores high-entropy unique passwords for each site.
• Enable hardware or app-based 2FA: SMS-based 2FA is vulnerable to SIM swapping. Authenticator apps (TOTP) or hardware keys (FIDO2/WebAuthn) are substantially more resistant.
• Monitor Dark Web exposure: Services like HaveIBeenPwned.com and identity monitoring services check if your email or credentials appear in breach databases.
• Place a fraud alert: A 90-day fraud alert (free, renewable) requires creditors to verify your identity before issuing credit — lighter than a freeze but useful when a freeze is temporarily lifted.
• Lock Social Security number: The SSA's E-Verify Self Lock and mySSA account lock prevent your SSN from being used in federal employment verification systems.

Recovery: The Process After Identity Theft

The FTC's IdentityTheft.gov portal generates a personalized recovery plan and pre-written dispute letters tailored to the type of theft. Using it significantly reduces resolution time compared to navigating each institution independently. Recovery from identity theft takes an average of 200 hours across several months — a cost that reinforces why prevention investments are worthwhile.