In 2013, a single individual deceived a subsidiary of a multi-billion dollar company, gaining access to 200 million personal records. It turns out he had been selling personal information from the U.S. to cybercriminals worldwide for years.
This breach left millions of Americans vulnerable to identity theft and financial fraud, facing the endless possibility of consequences for having their identity stolen. Victims faced long-term struggles, including financial loss, damaged credit scores, lost government benefits, and even the takeover of other accounts. This barely scratches the surface of the psychological and emotional damage caused by identity theft.
Unfortunately, this incident is just the tip of the iceberg among the thousands of data breach incidents that have occurred to date.
Over the years, identity theft and data breaches have become prominent topics of public concern. Incidents have reached scales far beyond our imagination – exposing millions – even billions – of identities at once.
One of the largest data breaches to date leaked nearly 11 billion records.
Source: Identity Theft Resource Center.
1 in 3 Americans have faced some form of identity theft during their lives. This comes as no surprise, given that there were over 1 billion data breach victims in just the first half of 2024. This underscores the crucial reality that if nothing changes, it’s not a matter of “if” we’ll be victims of identity theft but “when.”
Identity theft: An overview
Identity theft happens when someone’s personal or financial information is stolen to potentially commit fraud or other crimes. Personal information includes your name, contact information, account credentials, financial information, driver’s license, social insurance number, medical records, and even birth information.
Credit card fraud was the most common type of identity theft in 2023, accounting for over 40% of identity thefts.
Source: Federal Trade Commission.
Identity theft can happen through many means, but some common sources of identity theft include:
Some common reasons include:
- Data breaches – When there is unauthorized access to sensitive, protected or confidential information. This can be done in the masses – the largest data breach to date impacted over 3 billion accounts.
- Social engineering attacks – When people are manipulated into performing an action that exposes sensitive information. Common social engineering attacks include phishing, smishing, vishing, baiting and pretexting.
- Lost or stolen personal belongings – When people lose or have personal items stolen that contain personal information, such as wallets, mobile devices or mail.
- Public Wi-Fi networks – When a hacker breaks into a weak public network to view all the data that’s sent, including emails, passwords and account numbers.
- Fake websites – When a fraudster creates fake websites, often imitating real websites, to get users to directly input their real credentials. Common tactics include fake login pages or lookalike domain names.
- Card skimming – When fraudsters install skimming devices on ATMs or card readers to steal credit card account information. They can then use this information to clone the card or make online purchases.
- The Dark Web – Leaked or stolen data often ends up on the dark web, where fraudsters can purchase it to commit fraud using your identity.
Types of Social Engineering Attacks
Phishing – A social engineering tactic that leverages communications, usually email, to deceive people into sharing sensitive information.
Smishing – The act of tricking people into sharing confidential information via SMS or other texting channels.
Vishing – The use of telephone services, usually call or voice messages, to deceive people into revealing private information.
Baiting – The use of attractive offers or awards to lure people into traps that steal sensitive information.
Pretexting – Creating false scenarios to earn trust and manipulate people into sharing confidential information.
Fraudsters go through various means to steal identities, and it can seem like a lot of effort. But the truth is, your identity is valuable. An individual’s information can be worth more than $1,000 on the dark web. With your identity, fraudsters can remain masked while committing serious online crimes for various gains.
There are many reasons why fraudsters may commit identity theft, including financial gain, concealment from law enforcement, access to certain services, and even personal reasons.
Financial gain
Financial gain is a primary motivator, as identity theft opens several avenues for illicit profits. For instance, bad actors can use stolen financial information to make purchases or drain all of the victim’s funds, causing severe financial loss. In extreme cases, bad actors can also take loans under the victim’s name, damaging their credit score and reputation with financial institutions in the process.
Concealment from law enforcement
Another key driver is hiding one’s tracks from law enforcement. One of the first things bad actors will do if they are committing fraud online is to try to mask signs of criminal activity or redirect it somewhere else. Fraudsters may steal identities to commit crimes under someone else’s name and location, making it difficult for law enforcement to pinpoint the actual perpetrator.
Access to services
Bad actors may even commit identity theft in order to access certain services they wouldn’t be able to get otherwise. This may include government benefits, medical services, access to employment in certain areas with higher pay, or even online services like media streaming, banking or gambling.
Personal motives
Finally, bad actors could commit targeted identity theft for personal reasons. People naturally fall out with one another, leading to bitterness or resentment. In extreme cases, someone may commit identity theft out of revenge, envy, defamation, or malice.
Identity theft is a complex issue with many channels, motives, and targets. Its consequences can severely impact businesses and individuals alike.
Beyond the dollar figure: The hidden costs of identity theft
The global average cost per data breach for an organization – just one source of identity theft – is at an all-time high of $4.88 million. This is a 10% increase from last year and could likely increase in the next year. Not to mention, this cost doesn’t even begin to scratch the surface of its impact on businesses.
Identity theft can have several implications for businesses, ranging from financial loss to reputation damage.
Financial loss
Identity theft can lead to financial loss, including direct losses from fraudulent transactions, unauthorized purchases, chargebacks resulting from identity theft, legal costs and costs related to remediation and recovery.
Reputational damage and loss of trust
Identity theft can erode customer trust, especially for customers who trusted the organization to protect their information. This effect is amplified if a major security breach is reported by media outlets.
Legal consequences
Businesses that handle sensitive information are subject to data protection regulations. If a business is negligent, identity theft incidents can lead to investigations, resulting in significant fines and penalties.
Operational disruptions
Finally, identity theft can lead to significant business disruptions, requiring substantial resources to recover. These include additional staff, legal consultations, and security measures.
In addition to harming businesses, identity theft can also have severe consequences for individuals—often employees or customers of organizations that experience security breaches. In 2023, American adults lost $43 billion to identity fraud.
However, identity theft victims can experience far more than financial loss. Some victims can lose the ability to continue with their day-to-day activities, experiencing life-altering psychological effects. Victims could end up losing their hard-earned life savings, face mounting debt, receive a low credit score beyond their control, lose tax or government benefits, or, in extreme cases, be framed for a crime they did not commit.
Organizations that carry sensitive data have an obligation to protect their users. Not just for the sake of their reputation but to safeguard their users’ financial security, privacy, and personal well-being.
Data breaches: A catalyst for identity theft
The sheer volume of data breach incidents hit an all-time high in 2023 – almost triple the volume from 2020. The sharp rise in data breaches heightens susceptibility to identity theft, putting individuals and businesses at risk. In fact, around 1 in 4 consumers hit by a data breach will later become victims of identity fraud – especially if their payment information is exposed.
Specific industries are particularly vulnerable to data breaches. For instance, public administration, financial services, insurance, and healthcare particularly face threats due to the rich trove of personal information that they carry. Institutions that carry financial information are particularly at risk, as most data breaches are driven by financial motives.
95% of data breaches are financially motivated.
Source: Verizon.
Data breaches can reveal all sorts of information, from social security numbers and account credentials to credit card and banking information. Using this information, bad actors can impersonate real users, take over accounts, make unauthorized purchases, commit various forms of fraud and theft and commit atrocious acts masked under a different identity.
Fortunately, with the right safeguards in place, organizations can secure their data and prevent fraudsters from accessing their platforms.
Proactive defences: Protecting data and building trust
A common missing piece to detecting identity theft is having tamper-resistant geolocation and device data. Whether it’s stolen credentials, account takeovers, unauthorized logins or identity fraud, knowing exactly where a user is coming from and the integrity of their device is key to providing a holistic picture of whether someone is really who they claim to be.
For example:
- Account takeovers/unauthorized account access – Having context-driven geolocation and device intelligence can reveal whether users are logging in from their usual devices and locations and whether any changes in location align with reality. For instance, identity theft could be involved if location jumping occurs, and there is a sudden login from halfway across the world within seconds of the real user logging in from their actual home. A device that has been reset multiple times is also a red flag.
- Account creation fraud – Precise geolocation and device insights can show if a user’s registration details align with their actual location and if the registrant is who they claim to be. If signals reveal that the user’s location does not match their purported address and comes from a high-risk area, it is very likely that the account is not legitimate.
- Identity fraud – Incorporating geolocation and device intelligence in your customer verification process is a proactive way to detect fraud at the registration stage and maintain the integrity of your users. In addition to being able to compare a user’s information to common, authoritative sources, having additional geolocation and device checks offers an additional layer of protection in ensuring customers are who they say they are.
- Organized crime – Analyzing patterns from advanced geolocation and device data can reveal indicators of organized crime, such as money laundering activity or fraud rings. For instance, if hundreds of accounts are only accessed by a few devices or from the same locations, this is likely an indicator of fraud. Using the same technology, these high-risk devices or locations can be blocked or geofenced from your platform, keeping your users and your organization safe from repeat offenders.
- Location masking – If someone is stealing identities to commit fraud, they will very likely be masking their location with advanced spoofing tools. Having spoof-resistant geolocation technology that leverages multiple location sources and detects the presence of sophisticated spoofing tools will reveal a common indicator of identity theft – the repeated use of complex spoofing tools to mask the fraudster’s actual location.
Identity theft can facilitate various forms of fraud that harm your business and your customers. However, with the right types of tools in your anti-fraud tech stack, you can keep bad actors off your platform while securing your data.
GeoComply is a leader in geolocation technology with over a decade of experience detecting and preventing fraud for our customers in high-risk industries. Processing over a billion checks monthly, our experience gives organizations the insights they need to uncover a user’s true intent – whether it’s a bad actor trying to gain unauthorized access to someone’s account or a fraud ring trying to launder money under false identities.
Want to shield your platform from identity theft?
Learn how GeoComply can help secure your data and keep bad actors off your platform.
