Skip to main content
    Back to Guides

    How Identity Theft Happens: A Complete Guide for 2024

    GetCyberRight TeamApril 27, 202611 min read
    identity theft
    phishing
    data breaches
    cybersecurity basics
    online safety

    How Identity Theft Happens: A Complete Guide for 2024

    Introduction

    Identity theft happens when someone steals your personal information and uses it without your permission. They might open credit cards in your name, drain your bank account, file fake tax returns, or even get medical treatment using your insurance. In 2023, the Federal Trade Commission received over 1 million reports of identity theft, affecting people of all ages and backgrounds.

    Understanding how identity theft happens is the first step in protecting yourself. Criminals use many different methods to steal your information, from high-tech computer hacking to simply going through your trash. The good news is that once you know their tactics, you can take simple steps to protect yourself and your family.

    This guide will walk you through the most common ways identity thieves operate. You'll learn what they're looking for, how they get it, and most importantly, what you can do to stop them. Whether you're protecting your own information or helping an elderly parent stay safe, this information can help you avoid becoming the next victim.

    Data Breaches: When Companies Get Hacked

    What is a Data Breach?

    A data breach happens when hackers break into a company's computer systems and steal customer information. This might include your name, address, Social Security number, credit card numbers, passwords, or medical records. Large companies store information about millions of customers, making them attractive targets for criminals.

    In recent years, major breaches have affected companies you probably do business with. Equifax, one of the three big credit reporting agencies, had a breach in 2017 that exposed information for 147 million Americans. In 2023, a major healthcare company breach exposed medical records and Social Security numbers. These breaches happen regularly, and you might not even know your information was stolen until months later.

    What Happens After a Breach

    When criminals steal data in a breach, they often sell it on the dark web (hidden parts of the internet where illegal activity happens). Other criminals buy this information and use it to commit fraud. They might wait months or even years before using your information, which is why a breach from several years ago can still cause problems today.

    Companies are supposed to notify you if your information was part of a breach, but the notification might come weeks after the theft happened. By that time, criminals may have already used your information.

    How to Protect Yourself from Data Breaches

    While you can't prevent companies from getting hacked, you can limit the damage:

    Use different passwords for every account. If hackers steal your password from one company, they'll try it on other websites. Using unique passwords stops them from accessing multiple accounts.

    Sign up for account alerts. Most banks and credit card companies will text or email you about unusual activity. Turn on these alerts so you know immediately if someone uses your information.

    Monitor your credit reports. You can get free credit reports from all three credit bureaus at AnnualCreditReport.com. Check them at least once a year for accounts you didn't open.

    Consider a credit freeze. A credit freeze stops anyone (including you) from opening new credit accounts in your name. It's free and one of the best protections against identity theft.

    Phishing: Tricking You Into Giving Information Away

    Understanding Phishing Attacks

    Phishing happens when criminals pretend to be someone trustworthy to trick you into giving them your information. They might send an email that looks like it's from your bank, a text message claiming to be from a delivery company, or a phone call from someone pretending to be from the IRS.

    These messages often create a sense of urgency. They might say your account will be closed, you owe money, or you've won a prize. The goal is to make you panic and act quickly without thinking carefully.

    Common Phishing Tactics

    Email phishing is the most common type. You might receive an email with your bank's logo saying there's a problem with your account. The email includes a link to "verify your information." When you click the link, it takes you to a fake website that looks real. When you enter your username and password, the criminals capture it.

    Smishing is phishing through text messages. You might get a text saying a package couldn't be delivered or that your account is locked. These messages often include links to fake websites.

    Vishing is phishing over the phone. Someone calls claiming to be from your bank, Microsoft tech support, or a government agency. They ask you to verify your account number, Social Security number, or other personal information.

    Spear phishing targets specific people. Criminals research you online (through social media, for example) and create personalized messages. An email might mention your actual employer or reference a real event in your life, making it seem more legitimate.

    How to Spot and Avoid Phishing

    Never click links in unexpected emails or texts. If you get a message about your account, don't click the link. Instead, open your web browser and type in the company's website address yourself, or call the customer service number on your credit card or statement.

    Look for signs of fakery. Phishing messages often have spelling errors, strange grammar, or email addresses that don't quite match the real company (like "[email protected]" instead of amazon.com).

    Remember that legitimate organizations won't ask for sensitive information by email or text. Your bank will never email asking for your password or PIN. The IRS will never call demanding immediate payment over the phone.

    When in doubt, verify independently. If someone calls claiming to be from your bank, hang up and call the number on the back of your credit card. If you get an email about a problem, contact the company directly using a number or website you know is real.

    Physical Theft: Old-Fashioned Methods Still Work

    Mail Theft and Dumpster Diving

    Not all identity theft happens online. Criminals still use traditional methods to steal your information. Mail theft is surprisingly common. Thieves take mail from your mailbox looking for credit card offers, bank statements, tax documents, or checks. They can use these documents to open accounts in your name or steal money directly.

    Dumpster diving involves going through your trash looking for documents with personal information. Bank statements, medical records, credit card offers, and utility bills all contain information criminals can use.

    Stolen Wallets and Purses

    When your wallet or purse is stolen, the thief gets immediate access to your credit cards, driver's license, insurance cards, and anything else you carry. With your driver's license, they have your name, address, birth date, and a photo they might be able to alter. This gives them everything they need to pretend to be you.

    Protecting Your Physical Information

    Get a locked mailbox or use a P.O. box if you've had mail theft problems in your neighborhood. Pick up mail promptly, and when you're on vacation, ask the post office to hold your mail.

    Shred documents before throwing them away. Get an inexpensive crosscut shredder and use it for anything with personal information. This includes credit card offers, bank statements, medical records, and old bills.

    Carry only what you need. Don't carry your Social Security card in your wallet. You rarely need it, and if your wallet is stolen, the thief has one of the most valuable pieces of information for identity theft.

    Opt out of prescreened credit offers. These pre-approved credit card offers in your mail are tempting targets for thieves. Call 1-888-567-8688 to opt out permanently.

    Social Engineering: Using Information You Share

    How Criminals Use Public Information

    Social engineering means manipulating people into giving up information or access. Criminals gather information about you from social media, public records, and other sources, then use it to seem trustworthy or to answer security questions.

    Think about what you share on Facebook or Instagram. Do you post about your birthday? Your pet's name? Your mother's maiden name? Your first car? These are all common security questions that banks use. When you share this information publicly, you're giving criminals the answers they need to access your accounts.

    Building a Profile

    Identity thieves are patient. They might spend weeks gathering small pieces of information about you. From social media, they learn your birthday, where you work, where you went to school, your pet's name, and your hobbies. From public records, they can find your address and property information. From data breaches, they might have your email address or old passwords.

    They combine all this information to impersonate you. They might call your bank armed with enough personal details to convince the customer service representative that they're really you. Or they might use the information to answer password reset questions and take over your accounts.

    Protecting Yourself from Social Engineering

    Review your social media privacy settings. Make your posts visible only to actual friends, not "friends of friends" or the public. Be especially careful on Facebook, where settings can be confusing.

    Think before you post. Those fun quizzes that ask about your first car, your childhood street name, or your high school mascot? They're collecting answers to common security questions. Don't participate in these.

    Use security questions carefully. When a website asks for security questions, you don't have to answer truthfully. Consider using false answers that you'll remember, or use a password manager to store unique, random answers.

    Be skeptical of requests for information. If someone calls saying they need to verify your information, ask why. A legitimate company already has your information and doesn't need you to verify it.

    Public Wi-Fi and Unsecured Networks

    The Dangers of Public Wi-Fi

    When you use Wi-Fi at a coffee shop, airport, or hotel, you're sharing a network with strangers. Criminals can set up fake Wi-Fi networks (like "Free Airport WiFi") to trick people into connecting. Once you're connected to their network, they can see everything you do online, including passwords you type and websites you visit.

    Even on legitimate public Wi-Fi, tech-savvy criminals can intercept information traveling between your device and the internet. This is especially dangerous if you're accessing sensitive accounts like banking or email.

    Shopping on Unsecured Websites

    When you shop or enter personal information online, always check that the website is secure. Look for "https://" at the beginning of the web address (the "s" stands for secure) and a padlock icon in your browser's address bar. These indicate that your information is encrypted (scrambled) as it travels to the website.

    Websites without this security (those that only show "http://") send your information in plain text that criminals can easily intercept.

    Staying Safe on Public Networks

    Avoid accessing sensitive accounts on public Wi-Fi. Don't check your bank account or enter credit card information when using Wi-Fi at a coffee shop or airport. Wait until you're on a secure network at home or use your phone's cellular data instead.

    Use a VPN if you must use public Wi-Fi. A VPN (Virtual Private Network) encrypts all your internet traffic, making it unreadable to anyone trying to intercept it. Many good VPN services cost less than $10 per month.

    Turn off automatic Wi-Fi connections. Your phone might automatically connect to any available Wi-Fi network. Turn this feature off so you can choose which networks to trust.

    Verify network names. If you're at "Joe's Coffee Shop," the Wi-Fi network should be something official looking, not "Free Coffee WiFi." Ask an employee for the correct network name.

    Summary: Staying Protected

    Identity theft can happen in many ways, from sophisticated computer hacking to simple mail theft. Criminals are constantly developing new tactics, but the basic protections remain the same:

    Stay alert and skeptical. Question unexpected emails, texts, and phone calls. Don't share personal information unless you're certain who you're dealing with.

    Use strong, unique passwords for every account. Consider a password manager to help you keep track of them.

    Monitor your accounts and credit reports regularly. The sooner you catch fraudulent activity, the easier it is to fix.

    Protect your physical documents. Shred sensitive papers, secure your mail, and carry only necessary documents.

    Be careful what you share online. Review privacy settings on social media and think twice before posting personal information.

    Freeze your credit if you're not planning to apply for new credit soon. It's one of the most effective protections available.

    Remember, identity thieves count on people being too busy or too trusting to question suspicious activity. By staying informed and taking these simple precautions, you make yourself a much harder target. Criminals typically move on to easier victims when they encounter someone who's protected their information well.

    Protecting your identity is an ongoing process, not a one-time task. Make these practices part of your routine, and encourage family members, especially elderly relatives who are often targeted, to do the same. The few minutes you spend on protection now can save you countless hours and thousands of dollars if your identity is stolen.

    Frequently Asked Questions

    Related Content

    Got a suspicious link, email, or text?

    Run it through our free Scam Guard before you click or reply.

    Check a suspicious link now