Identity theft is on the rise, with 842,000 cases reported to the FTC in the first nine months of 2024 and 290,000 cases reported in Q3 alone. If this trajectory continues, the total for the year will surpass last year’s numbers.
Since 2020, identity theft and credit card fraud have been the most common types of fraud, and reports have been climbing over the past year. And because these FTC numbers rely on consumer reports, the actual number of cases is likely even higher.
Key findings highlight the evolving landscape during Fraud Awareness Week::
- GenAI tools on the rise: 83% of anti-fraud professionals plan to incorporate generative AI into their defenses within the next two years, according to an ACFE and SAS study.
- Spike in identity theft cases: Reports surged from 371,000 in 2017 to 1.4 million in 2021, with current levels still exceeding pre-pandemic rates despite a slight decline.
- Financial impact: Losses from identity theft reached $23 billion in 2023, up from $20 billion in 2022, as reported by Javelin Strategy & Research.
These trends underscore the urgent need for advanced strategies to combat fraud and protect against identity theft.
Data breaches are one of the ways criminals commit identity theft and credit card fraud. The hackers who steal information through data breaches often sell it on the dark web. Buyers then use the information for various types of fraud.
Data breaches
The number of data compromises jumped in 2023 to 3,205 from 1,801 in 2022. However, the number of individuals impacted fell by 17%, from 422 million to 352 million, according to The Identity Theft Resource Center.
Why have there been more data compromises but fewer individuals impacted? The Identity Theft Resource Center reports that cybercriminals aim to acquire specific personal information that can be used for identity theft, fraud, and scams instead of more sprawling attacks.
Most data breaches occur via cyberattack, with phishing, ransomware, and malware being the most common tactics. Here’s how each works:
- Phishing is when a cybercriminal pretends to be a trusted entity so the target will click a link in an email, text message, or chat message.
- Ransomware is a type of malware that threatens to release sensitive data if the target doesn’t pay a ransom.
- Other types of malware — which can be inadvertently downloaded through fraudulent ads or other links — can monitor computer activity and keystrokes, and steal personal information.
There were four root causes of the over 3,000 data breaches in 2023:
- Cyberattacks: Includes phishing, ransomware, malware, and unsecured cloud environments.
- Human and system errors: Includes failure to configure cloud security, email or letter correspondence, and lost devices and documents.
- Physical attacks: Includes device theft, document theft, improper disposal, and skimming devices.
- Supply chain attacks: Occurs when the attacker compromises a smaller vendor to access information held by a larger company.
Cyberattacks are by far the most common cause of data breaches and impact the largest number of people overall. Human and system errors don’t happen nearly as often, but when they do, they impact more people on average. A cyberattack in 2021 impacted an average 117,000 people, whereas each human and system error impacted about 586,000 people.
Most data breaches included people’s names, and over half of them included full Social Security numbers. Fortunately, fewer than 20% of data breaches contained bank account or payment card information.
Data compromises hit a record high in 2023, but impacted fewer people as cybercriminals change their tactics and continue to take aim at personal information instead of undertaking sweeping attacks.
While identity theft isn’t as commonplace as it was during the height of the pandemic in late 2020 and early 2021, reports still remain above what was recorded in 2019.
To prevent identity theft, the FTC recommends securing personal information, whether it be in physical form or online, and being vigilant when someone asks for your Social Security number or other sensitive personal information.
