Identity Theft: How it Works & How to Protect Yourself

Identity theft is a type of fraud in which a criminal gathers enough personal information on someone to take out money or purchase items in their victim’s name. Once they have key personal information, such as your social security number, they might open a credit card, for example, or charge their medical bills to your insurance.

There were over 650,000 reported cases of identity theft in 2019, making it the single biggest category of fraud perpetrated in the United States. Nearly half of these cases involved credit card fraud, but thousands of identity thieves tried to access bank accounts, open mobile phones, take out loans, and any of a dozen other approaches.

We’re going to talk about how identity theft works and how you can protect yourself. But first, let’s talk about personal information.

Your Personal Information

Identity theft starts with a criminal collecting personal information on their target. That can include anything from your name to your social security number to the name of your first pet. Some of these are worth more than others, but generally, an identity thief will need more than one piece of information to steal your identity.

You might have heard the term “personally identifiable information”, which refers to any information that can be used to identify you. Some would draw a distinction between “personally identifiable information” and other types of personal information. For our purposes, we’re interested in any information that can be used to steal your identity. As such, the personal information we’re talking about is all personally identifiable.

For our purposes, we’ll divide your personal information into three categories: top secret, semi-public, and loose ends.

Top Secret Personal Information

By our definition, top secret includes any personal information that is critical to protecting your identity, such as your social security number, passport number, and bank account number. This information should not under any circumstances be made publicly available, and you should be extremely careful when it comes to sharing these details.

Your top secret information also includes details that tie into critical accounts, such as your bank account number and health insurance login and password – these aren’t core to your personal identity, but if an identity thief breaks into one of these critical accounts, they can do a lot of damage.

Top secret personal information includes:

  • Social security number (SSN)
  • Driver’s license number
  • Birth certificate number
  • Passport number
  • Employer Identification Number (EIN)
  • Medical records
  • Bank account login information
  • Email login information

This list is far from exhaustive; top secret personal information includes any personal information that is critical to securing your identity.

Semi-Public Personal Information

There are some datapoints of personal information that are hard to keep completely private. Your name, birthday, phone number, and address, for instance, are all going to be known to at least a few people.

You don’t have to be quite as paranoid about semi-public information as you would for your top secret personal information. But you should still be aware of how many people know these details.

Keep in mind that identity thieves need semi-public information just as much as they need top secret details. Without your name and date of birth, even a social security will only get them so far.

You obviously can’t hide this information from everyone. But you do have some control over it – especially how you publicize this information online. It’s one thing for your family and co-workers to know your birthday. But you don’t have to make that information freely available to anyone who looks you up on Facebook. The less you make public, the harder it will be for thieves to steal your identity.

Loose Ends

Some personal information doesn’t fit into neat buckets. Your mother’s maiden name, for instance, or the name of your first pet – these might seem random, but these bits of personal trivia make up the security questions that are supposed to protect your most important accounts.

Anytime you create a new security question and answer, it’s worth asking who else might know this information. And you should take care not to publicly share these details, just as you shouldn’t make your birthdate and address widely available.

One last tip: make sure you don’t pick obvious security questions. If your mother never changed her maiden name, for example, that would be a very poor choice to secure your account!

How Identity Theft Works

At its core, identity theft happens in two broad steps. First, the identity thief gathers personal information about their target. When they have enough information, they leverage their victim’s identity for financial gain.

That might sound simple. But there are many ways to gather personal information, and plenty of ways to misuse it once acquired.

When gathering personal information, the identity thief almost always needs at least one top secret personal detail, alongside a few semi-public details and loose ends. To apply for a credit card, for instance, they would need your social security number, name, date of birth, and address.

Identity thieves don’t always need a piece of top secret personal information, however. If they have enough semi-public details and loose ends, for instance, they could crack your security questions and break into your bank account or email.

Identity thieves take many approaches to gathering personal information, but they almost always start with the easiest: seeing what’s publicly available online. From there they might steal your mail, rifle through your garbage, phish for key information, or even acquire your information in a data breach of a larger company.

Once they have enough information, the identity thief makes their move. Of the 650,572 cases of identity theft the FTC tracked in 2019, 271,823 (42%) involved credit card fraud. In most of those cases, that’s as simple as opening a new credit card in someone else’s name.

After that, the FTC tracked 104,699 cases (16% of all identity theft) of lending fraud, most of which involved taking out business loans, personal loans, or auto loans or leases. In third, there were 83,535 cases (13% of total) of phone or utilities fraud. Most of these involved creating new accounts for mobile phones, landlines, or utilities, billed under someone else’s name.

These are far from the only ways identity thieves will leverage their victims’ identities for illicit financial gain. They might commit tax fraud, apply for government benefits, or bill medical services to your insurance. Pay attention to the following tips to protect yourself from fraudsters.

How to Protect Yourself From Identity Theft

Freeze Your Credit

The best thing you can do to protect your identity is to freeze your credit file with the main credit bureaus: TransUnion, Equifax, and Experian. It only takes a few minutes, and as long as your credit remains frozen, no one can open a new credit card in your name. And if you ever need to open a new card, all it takes is a few minutes to unfreeze your file. Just make sure to freeze it again – with corporate data breaches rampant, you can never be too secure.

Watch Your Finances and Medical Reports

Reading through all your bills isn’t the most exciting thing in the world. But by paying close attention to your finances, you can catch identity thieves sooner rather than later. That includes not only your credit card and bank statements, but your utility and health insurance bills as well.

You should also periodically check your credit report. Each of the three credit reporting companies offer one free credit report per year. To stay on top of your finances, you can space these out and pull one report every four months.

Safeguard Your Personal Information

Remember the three types of personal information we mentioned above? You should have conscious rules about how you share details in each of these categories.

When it comes to sharing top secret personal information such as your Social Security Number, you should be extremely judicious. Never share this kind of information with anyone unless you absolutely trust them, are certain they are who they say they are, and know why they need the information. Never share top secret personal information in response to an unsolicited phone call or email, as scammers can easily fake phone numbers and email addresses.

You can’t keep semi-public details like your address completely hidden. But you can limit who sees them. I would advise removing as much information as possible from your social media profiles. While you’re at it, you should limit who can see your posts.

Keeping track of loose ends can be a little trickier. Try to pick security questions someone wouldn’t be able to answer just by looking online. And if you know that you’ve used a particular loose end in a security question – your first pet’s name, for instance – you should take care not to post those details freely.

Protect Your Mailbox and Trash

A mailbox can be a treasure trove for identity thieves. They’ve got your name and address to start, and by going through your mail they can find receipts, utility bills, pre-approved credit card offers, and more. The wrong piece of mail can put them on the fast track to stealing your identity. Check your mail daily. If you’re going out of town, you can put it on hold until you return.

Identity thieves aren’t above rummaging around in the trash, either. To further reduce your paper trail, use a paper shredder on any important documents. Especially if you’re a business that handles any kind of customer or employee information, you should consider it a necessity.

Don’t Click Links in Emails

Phishing is one of the top ways identity thieves hijack personal information. In the typical phishing attack, the scammer sends an email from a seemingly legitimate address – claiming to be your bank, for example. They’ll include a link to a duplicate website that looks just like the official version. When their victim clicks the link and types in their password on the dupe website, they give up their login information to the attacker.

The best way to avoid getting phished is to never click on any links in unsolicited emails. Instead, open a new tab and go to the relevant website directly. That way, you can ensure you won’t get misled to a fake site.

What to Do if You Think You May Be a Target of Identity Theft

First of all, report it to the FTC. Change your logins and security questions on any website that may be compromised. Keep in mind that if you use a password across multiple accounts, you should change it across all accounts that use a password that might be hacked.

To maximize your protection, consider switching important accounts to a new email address, which you keep completely secret.

You should also call any bank or organization where you think your identity may be exposed. They can offer more specific guidance on your situation, and may even be able to implement additional controls to protect your identity.

Stay safe.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.