How does identity theft happen? 11 ways identity thieves steal information

Data from the latest Consumer Sentinel Network databook shows there were over a million reports of identity theft made to the Federal Trade Commission (FTC) in 2024. And underreporting means it’s likely that the number of victims is much higher, with data from the Bureau of Justice Statistics suggesting that ID theft may be America’s number one crime.

But not every case of identity theft happens in the same way. Identity thieves use all sorts of tactics and scams to get access to the sensitive data they need. These are 11 of the most common.

1. Data breaches

A data breach happens when cybercriminals get unauthorized access to sensitive information stored by an organization, such as personal or financial data. This is often the result of a targeted hacking or social engineering attack, but data leaks can also occur following technological errors or employee mistakes.

Data stolen in a breach, like personally identifiable information (PII), Social Security numbers (SSNs), login credentials, dates of birth, or financial details, can be used directly by the hackers to commit fraud. But it also often ends up for sale on the dark web, where scammers or identity thieves can buy it.

The consequences of a data breach can be severe for affected individuals. While organizations are often required to spend massive amounts of money to fix the breach, the people whose data is breached still have to deal with potential issues that can stick around for years, from annoying spam calls to full-on credit fraud.

To help protect against data breaches:

• Use a data breach detection tool to see if your data is found to be exposed.
• Make every password unique to minimize the risk of one breach affecting multiple accounts.
• Enable two-factor authentication (2FA) to protect against account takeover attacks.
• Be cautious of suspicious emails and links in general, but particularly in the aftermath of a breach.

2. Phishing

Phishing involves scammers posing as a trusted person (like a family member) or organization (like your bank, a delivery service, or a company) to trick you into sharing sensitive information.

Phishing attacks can involve emails, texts, or social media messaging that contain a fraudulent link. But then can also be delivered over the phone, including with convincing AI voice clones. Here’s a summary of some of the main methods:

• Email phishing attacks involve convincing fake emails that look like they come from real companies, or people you know and trust. But they’re scams made to get you to reply with sensitive information, click a malicious link, or open an infected attachment.
• Smishing (or SMS phishing) attacks often take the form of fake delivery updates or account security alerts designed to trick you into clicking a malicious link that leads to a data-stealing webpage.
• Vishing (or voice phishing) involves scammers calling you, often pretending to be a government agency like the IRS and claiming you face fines or other consequences if you don’t “confirm your identity” immediately.
• Quishing is a type of QR code scam where fraudulent codes that lead you to websites designed to steal your information are placed on parking meters, menus, or in emails.

Phishing techniques are at the core of so many different types of scams, making it essential to understand how they work and what you can do to protect against them.

Start by following these tips:

• Verify a sender is who they say they are before clicking links in emails or potentially fake text messages — especially if the message sounds urgent.
• Manually search for webpages you want to visit instead of clicking links to avoid being tricked by fake URLs.
• Be cautious if you receive an unexpected call asking for personal or financial information, and hang up to call back using an official phone number if you’re in doubt.
• Don’t scan QR codes in emails or on flyers, parking meters, or signs unless you trust the source — use a search engine or official app to find the website you’re looking for instead.
• Remember that identity thieves can use AI to create fraudulent emails and texts that look authentic to lower your guard. Never act without thinking critically

3. Mail theft

Mail theft is when someone steals your physical mail, often to access sensitive personal or financial information. This can include taking mail directly from your mailbox, retrieving letters from collection boxes, or intercepting deliveries meant for you.

Mail like bank statements, tax documents, checks, and pre-approved credit offers can all help scammers commit identity theft or credit card fraud. Fraudsters who get the information in these documents may be able to open accounts, make unauthorized purchases, change billing addresses, or commit fraud in your name.

Even a single piece of stolen mail can provide enough details for criminals to piece together your identity, making mail fraud a surprisingly effective method of identity theft.

Follow these tips to help protect against mail theft:

• Use a locked mailbox or a P.O. Box to secure your incoming mail.
• Opt for digital statements and bills whenever possible to limit the paper mail you receive.
• Retrieve your mail as soon as it’s delivered and avoid leaving it in your mailbox overnight.
• Send outgoing mail directly from a post office or secure mail drop rather than leaving it in an unsecured mailbox.

4. Account takeovers

Account takeover attacks happen when a criminal gets unauthorized access to one of your online accounts. This can be the result of a data breach if your credentials are leaked. They can also follow phishing attacks, when a scammer convinces you to share your login credentials under false pretenses.

Account takeovers can also be achieved using more traditional hacking methods, like credential stuffing. This strategy involves cybercriminals combining your email address with massive lists of common passwords, using bots to “stuff” those credentials into the login pages of banks, social media platforms, and other sites.

However they get in, a cybercriminal with access to one of your accounts can change your password, lock you out, and even disable security alerts to stay hidden. From there, they can steal more sensitive information for use in fraud, make unauthorized purchases, transfer funds, access saved payment methods, or even use your account to scam others.

However, there are some reliable methods to protect against account takeovers:

• Use strong, unique passwords for each account and enable multi-factor authentication whenever possible.
• Monitor your accounts regularly for unfamiliar activity and set up alerts to catch issues early.
• Be skeptical of unexpected messages or calls claiming to be from banks, government agencies, or well-known companies, especially if they pressure you to act fast.
• Never share one-time verification codes, passwords, or account details, even if the request appears legitimate.

5. Dark web marketplaces

A dark web marketplace is an online forum hidden from traditional search engines where criminals buy and sell illicit commodities, including stolen data. Data that comes from data breaches, mass phishing scam campaigns, and insider leaks can all appear on dark web sites, with details often being packaged into “fullz” (full profiles) that contain names, Social Security numbers, credit card numbers, and login credentials.

Many people don’t even realize that their personal information is circulating on the dark web until it’s already been used in fraud or identity theft. But you can check if your information is on the dark web using a free tool or set up continuous monitoring to keep an eye on it automatically.

Here are some steps to take to protect your personal information online and defend against dark web exposure:

• Be cautious about where and how you share personal information, especially on social media and public forums.
• Minimize the number of accounts you set up with your real information to reduce the chance of being exposed in a data breach.

6. Using public Wi-Fi

Public Wi-Fi networks, like those in coffee shops, airports, hotels, or libraries, often lack strong security to protect your personal information, making them a prime target for cybercriminals. Hackers may be able to intercept data sent from your device on unsecured public networks, including your login credentials, emails, and payment details.

For example, logging into your bank account while on free Wi-Fi could expose your information to someone monitoring the network and, once the data is captured, criminals could use it to access your financial accounts, make unauthorized purchases, or even open new credit lines.

However, there are some steps you can take to protect against the risk of public Wi-Fi networks:

• Avoid transmitting sensitive data or making transactions on public Wi-Fi networks.
• Use a VPN to encrypt your internet connection and keep your browsing activity more private.
• Disable automatic Wi-Fi connections and file sharing so your device doesn’t connect to unknown networks without you realizing it.
• When in doubt, switch to your mobile data or wait until you’re on a trusted, password-protected network.

7. Dumpster diving

Dumpster diving is one of the lowest-tech methods identity thieves use to steal information, but it can still prove valuable. It literally involves someone searching through your trash for discarded documents containing sensitive information, including bank statements, credit card offers, shipping labels, notes with passwords written on them, or medical records.

If you don’t shred or otherwise destroy these documents when you throw them out, thieves can easily piece together enough details to steal your identity. And the long-term consequences of identity theft that can follow dumpster diving include financial losses, time-consuming recovery efforts, emotional distress, and lasting damage to your credit score.

But you can minimize the risk of falling victim to a dumpster diving fraudster with these tips:

• Shred documents containing personal information before disposing of them.
• Lock your trash bins to prevent unauthorized access to discarded documents.
• Tear up or black out labels on packages and mail that include your name or address.
• Switch to paperless statements whenever possible to reduce the amount of sensitive material going into your trash.

8. Wallet theft

Your wallet probably contains a treasure trove of personal information, with credit and debit cards, Social Security cards, insurance cards, and driver’s licenses giving away some of your most sensitive data.

That’s why wallets are a big target for thieves, but fraudsters might also get lucky and simply find your lost wallet. No matter how it happens, if the information in your wallet falls into the wrong hands, it can be used to open accounts, make unauthorized purchases, or commit other types of fraud.

An identity thief with your wallet is uniquely equipped to bypass certain security checks using the physical IDs and cards they possess, making wallet theft one of the most threatening ways for identity theft to happen if you don’t take quick action after noticing it.

These are some of the must-know strategies to defend against wallet theft:

• Only carry essential items in your wallet and leave unnecessary documents, like your Social Security card at home.
• Keep a record of the contents and information in your wallet, including card numbers and contact information, so you can quickly report stolen cards.
• Immediately report lost or stolen cards to your bank or credit card company.
• Use wallets with RFID-blocking features to help reduce the risk of electronic skimming.
• Keep your wallet in a secure, hard-to-reach place and avoid leaving it unattended in public spaces.

9. Romance scams

Romance scams occur when a cybercriminal uses your romantic feelings for them to gain your trust and, ultimately, your sensitive data. Whether achieved through online dating scams or in-person relationships, this type of identity theft can cause both financial and emotional damage.

In a romance scam, identity theft is rarely the first move. Instead, it’s the climax of a longer process which typically follows these steps:

• The hook: Scammers use love bombing (aka, excessive affection) to build intense trust and move the conversation to private, encrypted apps.
• The crisis: A fake emergency — like a medical bill or a frozen account — is staged to create a sense of urgency.
• The data harvest: They ask for more than just money as a form of help. This can include your login credentials, screenshots of sensitive documents, or even, in extreme cases, power of attorney.

Romance scams could also refer to spousal identity theft, where someone steals their partner’s ID to take out a loan or open a new credit account. This can tank your credit score and potentially leave you associated with thousands of dollars in debt.

Follow these tips to help protect against romance scams:

• Be wary of anyone who professes deep love too quickly or asks for odd details, like your mother’s maiden name.
• Use a reverse image search on profile photos from online dating sites to see if that “person” is actually a stock photo.
• Always meet new connections in a public place and never send money or verification codes to someone you haven’t met in person.

10. Insider data theft

While we often think of hackers as criminals operating remotely, identity theft can also be perpetrated by seemingly legitimate employees at banks, hospitals, or government agencies. Fraudulent insiders can misuse their authorization to steal your personal information, and then either use it directly or sell it online.

Because these individuals have legitimate access to your records, it can be incredibly difficult to detect fraud committed by them until the damage is already done. But, there are some tips, similar to those that apply to protecting against data breaches, that can help limit your exposure:

• Only provide the absolute minimum amount of data required by retail or service providers. The less data an organization stores, the less there is for a disgruntled employee to steal.
• If you notice small, unauthorized changes to your work-related or medical accounts, alert the relevant fraud department immediately. Early detection is key to stopping a larger breach.

11. AI scams

Identity theft has entered a new era with the rise of AI scams. Criminals can now use artificial intelligence to automate, polish, and scale their attacks, making them more convincing than ever before.

For example, while traditional phishing messages often had tell-tale signs like poor grammar, AI enables scammers around the world to generate perfect, professional-sounding messages, or even mimic the specific writing style of someone you know.

Deepfakes are a particularly dangerous subset of AI technology, when in the hands of would-be identity thieves. Deepfakes are hyper-realistic AI-generated video clips created to mimic a real person’s face and voice. A scammer might use a short clip you shared on social media to create a cloned version of you, which they then use to call your family members or coworkers to request urgent wire transfers or sensitive login credentials.

While the world of AI scams and identity theft is developing quickly, these are some tactics you can use to help keep your data safe:

• Use a secret safe word or phrase with family or friends. If you receive an urgent, emotional call from a loved one asking for money, ask for the safe word to verify it is actually them.
•  Never rely on a single incoming communication. If your boss or a relative messages you with an unusual request, separately contact them through a trusted line of communication.
• Ironically, a lack of typos or an overly formal tone in a text message can now be a red flag for an AI scam.
•  In deepfake videos, look for unnatural blinking, mismatched lip movements, or strange shadows around the neck and hair. In audio, listen for robotic pacing or a lack of breathing during the conversation.
• AI needs data to learn. Limit the amount of public audio and video you share on social media.

What to do if you think your identity has been stolen

Building awareness of how somebody can steal your identity is a great first step in protecting against the risk, but it won’t always be enough to keep you safe. Knowing what to do if your identity is stolen is equally important.

If you start to see the tell-tale signs of identity theft and suspect that somebody has access to your personal information, here’s how to take action:

1. Inform financial institutions: Report the fraud or ID theft and any unauthorized activity to your bank, credit card companies, and other affected organizations as soon as possible after noticing it. Contact their fraud department to close or freeze compromised accounts and request replacement cards.
2. Secure compromised accounts: Access any potentially compromised online accounts as soon as possible and change your passwords to protect against account takeovers. Also enable two-factor authentication (2FA) and additional security measures wherever possible for extra security.
3. Notify relevant agencies: Report stolen ID cards and driver’s licenses to the DMV, tell the IRS about compromised SSNs, and notify your health insurer about the identity theft incident.
4. Freeze your credit: This precautionary measure restricts unauthorized access to your credit report and prevents new accounts being opened in your name. You’ll need to place a freeze with each of the three major credit bureaus — Experian®, Equifax®, and TransUnion®.
5. Report identity theft to the FTC: Visit IdentityTheft.gov to file a report with the FTC and get a personalized recovery plan that will help you through the restoration process.
6. File a police report: Report the ID theft to your local law enforcement agency, especially if you have proof. Your report might help the police support other potential victims of identity theft, too.
7. Monitor for ongoing fraud: Identity theft can surface months after the initial incident. Regularly review your credit reports for unexpected changes, sign up for credit monitoring alerts, and keep a close eye on your bank statements and Explanation of Benefits (EOB) forms from your insurer to catch any delayed fraudulent activity.

Following these steps will help you minimize the impact of identity theft and guard against further fraudulent activity.

Protect your identity with LifeLock

The fact that there are so many ways that identity theft can happen — and the potential severity of the consequences — make an identity theft protection service like LifeLock well worth considering.

LifeLock helps you reduce your online exposure with a built-in automatic data broker removal tool, monitor for threats to your identity across the dark web, social media, and applications for credit, and get alerts of new data breaches that might involve your information.

Plus, if you do fall victim to identity theft, you’ll get restoration support from a U.S.-based expert and reimbursement coverage to help recoup financial losses.

FAQs

How does identity theft happen?

Identity theft happens when criminals steal personal information and use it without permission for financial or personal gain. Common examples of how identity theft can happen include data breaches, phishing scams, stolen mail, account takeovers, and lost or stolen wallets that expose sensitive details.

How do I check if someone is using my identity?

You can check if someone is using your identity by reviewing bank and credit card statements, checking your credit reports, and watching for unfamiliar bills, accounts, or login alerts. Catching suspicious activity early can help limit damage and speed up recovery.

How can criminal identity theft occur?

Criminal identity theft occurs when someone uses another person’s information during an arrest or investigation. This can lead to incorrect charges, warrants, or criminal records tied to the victim’s name instead of the thief.

What are the common causes of identity theft?

Common causes include data breaches, having weak passwords, phishing and scam messages, using unsecured public Wi-Fi, and improper disposal of personal documents. As technology evolves, criminals continue finding new ways to access and misuse personal information.