Identity Theft FAQ

Identity theft is the misuse of another person's identifying information. In true identity theft, an identity thief uses another person's Social Security number and other identifying information to fraudulently open new accounts for financial gain. Victims may be unaware of the fraud for an extended period of time, which can allow the criminal to continue the ruse for months or even years. The criminal can use the victim's identity to work, receive medical care and commit other types of fraud. Account-takeover and credit-related fraud are common problems associated with identity theft.

Some examples of the many ways criminals use stolen identity information are to:     

• Obtain credit fraudulently from banks and retailers
• Steal money from the victim's existing accounts
• Apply for loans
• Establish accounts with utility companies
• Rent an apartment
• Obtain a job
• Receive medical care
• Achieve other financial gain using the victim's name

Account takeover occurs when an identity thief acquires a person's existing credit or bank account information and either withdraws money or makes purchases. Victims usually learn of account takeover when they check their account statements online or receive their monthly credit card or bank account statements.

To reduce your chance of becoming a victim, check out our Consumer Tips. Find out how to protect your Social Security card, mail, checks, passwords, online activities, and much more.

There are three main threats to the data on your computer: malicious software, network intrusion by hackers, and physical theft.

To protect your computer against viruses, spyware, worms, and Trojan Horse programs (which let hackers control your computer), you must use antivirus, anti-spyware and anti-malware software—and keep those applications up-to-date. To keep intruders out, connect to the Internet through a properly configured firewall, keep administrative names and passwords updated, set wireless networks to "no broadcast" and be sure to power down your computer when not in use. Never open an email spam or other emails from unknown sources and avoid using public computers for online banking, email account access, or other sensitive exchanges of information, as keystroke loggers, web "cookies," or cached pages may be capturing your data.

Limit access to your computer to those you truly trust, and use restrictive permission levels to protect sensitive files. Whenever possible, encrypt files containing sensitive information, including backup files. And don't forget to protect your computer against physical theft—"password protection" sounds daunting but is actually easy for a tech-savvy criminal to defeat.

Finally, beware of "phishing" and "pharming" scams, which use fake corporate email, redirected web addresses, and "cloned" corporate web pages to plant viruses and con users into providing sensitive information. Never provide identity or account information in response to an email or if you have doubts about a website's authenticity. To learn more, check out our Consumer Tips.

Theft of wallets and purses was once the most common way to obtain identity documents and account information. Today, identity thieves attack virtually every area of an individual's life, wherever personal information is stored or sent. An identity thief needs only a few strategic bits of your personal information to commit identity theft and fraud. The more accounts the criminals are able to open, the more "evidence" they have that your identity belongs to them. Some of the most common methods include:
 

• Dumpster diving in trash bins for credit card statements, loan applications, and other documents containing names, addresses, account information, and SSNs
• Stealing mail from unlocked mailboxes to get preapproved credit offers, credit cards, utility bills, bank and credit card statements, investment reports, insurance statements, benefits documents, and tax information
• Impersonating a loan officer, employer, or landlord to obtain access to credit files
• Taking advantage of "insider" access to names, addresses, birth dates, and SSNs in personnel or customer files
• Shoulder surfing when people are using laptops in public places or watching ATM transactions and public phones to capture PINs
• "Skimming" of credit and debit card information at point-of-sale by copying the card or using a small electronic "skimmer" device
• Tapping online sources of personal data, such as public records, fee-based information sites, and personal networking sites
• Hacking into an organization's database to steal sensitive information
• Purchasing fraudulent identities on the Internet or through a secondary market

Debt Tagging is a term used to describe when collectors target the wrong person for a debt and append that debt to their credit files.

After years of trying to collect on a debt, collection agencies are often left with old outdated contact information. If you have a common name or one that is similar to who they are looking, your risk is higher and you could be tagged with another person’s debts.

If you are contacted and do not believe the debt is yours, ask for proof of the debt. Debt collection agencies are required under the Fair Debt Collection Practices Act to provide debtors with proof of the debt they are attempting to collect.

Next, check to see if you are covered with Identity Theft Protection by your homeowners, auto or other insurance policies. Also check with your bank, credit union or financial services or employee benefits. If you are covered, call their claims/customer service departments. 

Child identity theft is true identity theft in which the victim is a minor child. Because a child (or parent acting on behalf of the child) is unlikely to request credit reports or to try to obtain credit, the theft can go undetected for a long time. In fact, the theft may not be detected until the child becomes an adult and applies for credit. If no credit report exists in your child's name, that is a good indication that your child has not been a victim. However, if you receive collection calls, statements and/or pre-approved credit offers in your child's name, your child may be a victim of identity theft.

Medical identity theft is the misuse of a person's identity to obtain health care goods and services. It is a growing crime as the trend towards electronic medical records gains momentum. Often the first time a victim gets wind of medical identity theft is when he or she receives a statement from an insurance company for services rendered. To help detect this type of theft, read all Explanation of Benefits statements you receive from your insurance company and contact the provider immediately if you see descriptions of services unrelated to your own health care. Also, watch for any unpaid medical claims on your credit report. 

In synthetic identity theft, instead of stealing an actual person's identity, a thief creates a fictional identity by taking pieces of information from a number of people. The thief usually starts with one victim's Social Security number and then composes a fictional identity associated with that number. Synthetic identity theft is often harder to detect than true identity theft, because accounts and other credit that is falsely obtained typically do not show up on the credit report of the victim whose Social Security number has been stolen. Since the thieves have created fictional identities instead of stealing real consumers' identities, it is most often banks that are the real victims of this type of theft because they are stuck with the bills. Beware of so-called credit repair companies that use synthetic identity theft to "erase" your credit file and create a synthetic (or fictional) identity for you. While this tactic appears to solve your credit problem, it is illegal and could create new ones down the road.

A data breach is a situation in which information is either lost by or stolen from an organization or individual. Financial information, medical records, customer information, and student data are all examples of information that has been accessed as a result of data breaches. The incidents can occur under a number of different scenarios. Hacked databases and stolen laptops, PDAs, USB flash drives containing sensitive information account for many breaches. More than 75% of states now legally require organizations to contact affected individuals when a data breach occurs.

Credit monitoring involves monitoring your credit history for suspicious activity. The three credit bureaus offer credit monitoring for a modest fee, providing services such as allowing you to check your credit files every day for any fraudulent usage of your identity. To find out more about this service, see links for the three credit bureaus on our Resources section.

Fraud monitoring allows you to monitor public record databases for suspicious activity. Public record databases can show if someone has broken the law using your identity.

Beware of companies that guarantee they can prevent identity theft. While you can mitigate your risk of becoming a victim and the damage after a compromise, no one can give you a 100% guarantee that you can escape. Even if you do everything right, you might still be on the wrong database at the wrong moment. Never forget, the bad guys are getting better and better at what they do and are often far ahead of the good guys.

A fraud alert is a warning that you can place on your credit report by contacting the three major credit bureaus. It signals to potential creditors that you may be, or are at risk of being, a victim of identity theft. A fraud alert can take one of three forms—an initial alert, an extended alert and a military fraud alert:

Initial Fraud Alert — An initial alert lasts for at least 90 days. It is a precaution that can be taken in situations where you think you are at heightened risk for identity theft or that someone is currently stealing your identity, e.g., if your purse has been stolen. Placing an initial alert on your credit report requires potential creditors to use "reasonable policies and procedures" to confirm the legitimacy of your identity when it is used for credit applications. These "reasonable policies and procedures" may not always adequately protect you, however, so be sure to monitor your credit report carefully even if you've placed an initial fraud alert.

Extended Fraud Alert — An extended alert remains on your credit report for seven years. You are eligible to place this type of alert on your account if you have been the victim of identity theft and provide the credit bureaus with an identity theft report such as the one found on the FTC website.

Active Duty Military Fraud Alert — An active duty alert helps protect military personnel from identity theft. If you are a member of the military and away from your usual duty station, you may place an "active duty alert" on your credit report to help minimize the risk of identity theft while you are deployed. If you place an active duty alert, businesses must verify your identity before issuing credit in your name, which makes it harder for identity thieves to use your information to apply for credit. Active duty alerts on your report last for one year unless you request that the alert be removed sooner. If your deployment lasts longer, you may place another alert on your report.

A security freeze (or credit freeze) gives consumers the option to "freeze" or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. When a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor will not be able to check the credit file (this is only the case if the creditor checks the credit file before extending credit). When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed. Currently 47 states and the District of Columbia have joined the legislative surge against identity theft, enacting laws that empower consumers to freeze their files.

A security freeze shouldn't be enacted without careful consideration. Before ordering a security freeze, first make sure no legitimate parties are going to require timely access to your credit (these could include cell phone companies, utility providers, or landlords, to name a few examples). Additionally, if any change is made to your personal information during a security freeze, e.g., if your address changes, the companies that would normally report this to the credit bureaus will not be able to do this—you are responsible for contacting the credit bureau and conveying any changes to your personal information. So, if you are in immediate need of credit, e.g., you are about to apply for a mortgage or need to apply for a car loan, first determine whether you will be able to handle delays resulting from the security freeze. For additional information on security freezes, visit the Consumers Union’s Guide to Security Freeze Protection.

You can monitor your credit by checking your credit report from all three agencies at least twice a year. Under FACTA, every consumer has the right to get a copy of his or her credit report free from each of the credit reporting agencies. Instead of getting a report from all three credit reporting agencies at once, get one from each bureau every four months (providing you with a different snapshot three times per year). To obtain your three free reports annually, do not contact the reporting agencies as you normally would. Instead, go to this website, which was set up specifically to allow consumers to receive free credit reports: www.annualcreditreport.com.

You can also monitor fraud in your medical files, on your Social Security statement, insurance claims, or in public records. To find out how to get these reports, see the links on our Resources section.

Yes. In 1998 Congress passed the Identity Theft and Assumption Deterrence Act (918 U.S.C.1028), which makes it a federal felony to use another person's identification with the intent to commit unlawful activity. Federal agencies such as the Secret Service, the FBI, and the U.S. Postal Inspection Service investigate suspected violations of this law; the Department of Justice handles prosecutions. Visit the FTC's website to find out more about federal and state laws governing identity theft, consumer credit and privacy and information.