Identity Theft

Often cited as one of the fastest-growing crimes in the United States and abroad, identity theft continues to be of great concern to the public. According to the 2013 Unisys Security Index, 57 percent of Americans surveyed reported that they are seriously concerned about identity theft (Unisys 2014).¹ It is a crime that is difficult to control and has become increasingly complex as offenders adapt to target hardening by consumers and businesses and identify new sources of data containing personally identifying information. Because identity theft includes multiple forms of fraud, it is difficult to illustrate with singular examples; however, the following cases help to illuminate the complexity of identity theft, as well as the range of people who engage in this crime. In May 2014, 25 people were charged in a conspiracy that involved identity theft, as well as street-level drug selling, a prescription pill operation, and counterfeit check schemes in New York and New Jersey. One member of the group stole personal identifying information, including names and birth dates from his place of employment, and then passed the information on to another member who used it to fill out stolen or forged prescriptions for oxycodone. Other members then had the prescriptions filled at pharmacies and passed the product to yet another individual, who then sold the pills on the streets. The group also included an employee at a check-cashing store who provided members with personal and account information of small businesses, churches, and charitable organizations. The stolen information was then used to manufacture counterfeit checks and create false identification cards. Ring members recruited individuals to go inside banks with the false IDs, deposit counterfeit checks, and withdraw money from the bank accounts of individuals whose identities they had stolen (Jacobs 2014). In a case that illustrates the global reach of identity theft, three men were charged with buying cars in San Diego using stolen identities and credit cards and then shipping them to Ghana to be resold for financial gain. The men allegedly purchased stolen credit cards and drivers’ licenses in bulk from a “carder” website in Singapore.² Using the victims’ information, the ringleader assumed their identities to negotiate the purchase of vehicles, email drivers’ license numbers and card information to the dealerships, and pay for the cars’ transport to New Jersey where they would be shipped to Africa and resold by a criminal organization (Vigil 2014). Although the aforementioned cases resulted in victims’ losses of an estimated $80,000 and $500,000, respectively, the financial gain from identity theft can be much more extensive, reaching into the millions of dollars. For example, over a three-year period from 2010 to 2013, a group of 10 women filed over 7,000 false tax returns, resulting in nearly $20 million in refunds. The women set up sham tax businesses and filed false tax returns using identities stolen from their places of employment, which included a hospital, various state agencies, and call centers (Gibson 2014). Last, while some identity thieves work in small groups, others work alone. In a recent incident, a community college student stole the personal identifying information and credit card numbers of clients from her former place of employment (a medical billing company). She used the information to pay tuition at the school and purchase items such as clothing, jewelry, and airline tickets. During her employment, she had access to thousands of clients’ personal and financial information, and at the time of her arrest was in possession of more than 400 identity profiles and 200 credit card numbers (CBS Los Angeles 2014).

As illustrated by the aforementioned cases, identity theft schemes range from the simple to the complex, are committed by offenders working alone and in groups, and are committed by an array of offenders, including employees of legitimate businesses to common street offenders. Current data suggest that identity theft affects millions of people each year at a loss of billions of dollars to individuals and businesses. It was the number-one most reported fraud to the Federal Trade Commission’s (FTC) Consumer Sentinel Network in 2013 and has held this position fairly consistently over the past decade (FTC 2014).

The purpose of this essay is to provide an overview of identity theft, including what is currently known about the trends and patterns of identity theft, information on offenders and victims, as well as the methods of carrying out identity theft from the available data on offenders. In the next section, we present data from various agencies and organizations tasked with collecting information on identity thefts that occur in the United States and other countries. This section is followed by an overview of offenders that engage in identity theft as well as those who are victimized. We conclude with a discussion of the techniques employed by identity thieves to steal personally identifying information and convert it to cash or goods for financial gain.

The Identity Theft Assumption and Deterrence Act (ITADA), passed in 1998, states that identity theft occurs when a person “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” The term “means of identification” is defined as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” Yet, despite the federal statute, “there is no one universally accepted definition of [it] as the term describes a variety of illegal acts involving theft or misuse of personal information” (Bureau of Justice Statistics [BJS] 2006).

The definitional problem makes it difficult to consistently measure identity theft, and often, the organizations and agencies collecting data employ different measures of this crime. The main issue centers on whether to include credit card fraud under the term “identity theft.” For example, if an offender steals a credit card, makes a purchase, and then discards the card, has the victim’s identity been stolen? Does the use of a financial account identifier constitute identity theft? Or does identity theft occur only when an offender uses personally identifying data? An offender can use a credit card number (financial account identifier) to make unauthorized purchases or use a social security number (personally identifying data) to open a new credit card account and make purchases (Copes and Vieraitis 2012). Some researchers (e.g., Allison, Schuck, and Michelle Lersch 2005, Copes and Vieraitis, 2007, 2009a,c, 2012) exclude credit card fraud while others include it (e.g., BJS, 2013; FTC, 2014).

Others raise a second issue regarding the definition and measurement of identity theft, arguing that the crime involves two separate elements, theft and fraud, and that they should be defined and measured accordingly. In this case, “identity theft” occurs when an offender steals a victim’s personal identifying information, such as a social security number, birth certificate, or driver’s license, whereas “identity fraud” occurs when an offender uses the stolen information to open credit card accounts, obtain bank loans, or deposit counterfeit checks and make withdrawals from the victim’s bank account (Koops and Leenes 2006). Although identity fraud cannot occur without identity theft, identity theft is not always followed by identity fraud, and the two components may be committed by separate offenders. Thus, it is important to be cognizant of the definition of identity theft employed by agencies and organizations when measuring the extent and patterning of this crime.

As with most crimes, understanding the true nature and extent of crime is problematic as much criminal victimization goes underreported. Identity theft is no exception. It is estimated that 40 percent of all crime victims do not report their victimization to law enforcement, but the rate of reporting varies by type of victimization with more serious crimes showing a greater level, in general, of reporting than less serious crimes. For a variety of reasons, some “unknown” number of identity theft victims do not report their crimes to law enforcement authorities. According to the 2012 Identity Theft Supplement (ITS) to the National Crime Victimization Survey (NCVS), fewer than 1 in 10—or 9 percent—of identity theft victims reported the incident to police (BJS 2013). Studies from Canada provide similar rates of underreporting, with only 13 percent of Canadian victims reporting their victimization to a law enforcement agency (Office of the Privacy Commissioner of Canada 2013). However, the ITS also showed that whether someone reported the incident to law enforcement varied substantially by the type of identity theft victimization suffered by the victim. Victims of personal information fraud were the most likely to report the incident (40 percent) while the lowest rates were for victims of existing credit card fraud (4 percent; BJS 2013). Of victims who did not report the theft (91 percent), most “handled it another way,” including reporting the incident to another organization such as a credit card company. Identity theft victims may see no reason to report their victimization if they do not suffer much financial harm, as when a credit card company quickly dismisses the unauthorized charges made on the victim’s credit card. Nearly 30 percent of victims in the ITS indicated that they did not report their victimization because they had suffered no monetary loss (BJS 2013). Other victims may be reluctant to report their victimization if they know the offender for fear of retaliation or of getting the offender in trouble with law enforcement, especially if the offender is a family member. Some victims may not know the appropriate agency with which to file a report, and the issue of jurisdiction is particularly murky when offenders and victims reside in different cities, states, or even countries. Moreover, when the “victim” is a financial institution or business the incident may not be reported as some businesses are unwilling to admit their security systems are not working (Pontell 2002), some fear the potential loss of customers, and others may calculate that the tax write-off makes better business sense (Hoofnagle 2007).

Understanding the true nature of identity theft, particularly regarding offenders, is also complicated by low clearance rates. An analysis of data from a Florida police department found that identity theft cases averaged a clearance rate of 11 percent (Allison et al. 2005). Research studies conducted by Owens (2004) and Gayer (2003) report similar rates of 10 percent and 11 percent, respectively. Despite these limitations, a number of government and nongovernmental organizations that collect data on identity theft can provide some insight into this crime.

The first systematic survey of the prevalence and costs of identity theft victimization was conducted by the FTC in 2003. The results of a telephone survey of a random sample of US adults age 18 and older suggested that 27.3 million Americans had been victims of identity theft in the previous five years (1998–2002), including 9.9 million people in 2002 alone. The financial costs to businesses, financial institutions, and consumers were estimated at over $50 billion (Synovate 2003). A follow-up survey was conducted three years later in 2006. Although not directly comparable due to changes in the methodology, the 2006 survey suggested that approximately 8.3 million US adults were victims of identity theft in 2005 (Synovate 2007). In addition to the FTC surveys, other organizations have conducted surveys on identity theft, including the Javelin Strategy and Research group (Javelin), the American Association of Retired Persons, and the BJS.

Data on identity theft victimization are also collected by the FTC’s Identity Theft Data Clearinghouse, the National White Collar Crime Center, and the FBI’s Internet Crime Complaint Center. The data from these agencies, as well as state law enforcement organizations, other federal agencies, and nongovernmental organizations such as the Council of Better Business Bureaus are compiled in an online database maintained by the Consumer Sentinel Network and published each year in the Consumer Sentinel Network Data Book. Although a common source of information on identity theft victimization, as well as other consumer frauds, these data are based on victim-generated reports rather than nationally representative surveys of consumers. With these limitations in mind, the most reliable data on the extent and patterning of identity theft in the United States come from the NCVS and Javelin.

The most comprehensive and reliable data come from the BJS and Javelin. Both groups survey nationally representative samples of the US population and have been doing so since 2004 and 2005, respectively. It is interesting to note that the BJS employs the term “identity theft” while Javelin uses “identity fraud” in its survey of consumers, although the measures (defined later) are similar.

To address the need for data on identity theft victimization, BJS developed questions to measure identity theft trends and added them to the NCVS survey in 2004. Since this initial survey, the BJS has expanded its data collection efforts to include the ITS, first conducted in 2008, to collect more detailed information from individual victims age 16 and older. In 2012 major changes were made to the survey instrument, thus comparisons across years are not suggested (BJS 2013). In its most recent report, the BJS measures identity theft victimization for persons age 16 or older who experienced one or more of the following incidents (BJS 2013: 1–2):

Results suggest that nearly 17 million persons, or 7 percent of all US residents age 16 or older, were victims of identity theft in 2012, with 22 percent of victims experiencing more than one incident. The fraudulent use of existing account information, such as credit card or bank account information, was the most commonly reported type of theft—85 percent of reported cases. The direct and indirect losses from this crime total nearly $25 billion, although about half of the victims suffered out-of-pocket losses of $100 or less (BJS 2013).

Although not directly comparable to the BJS findings, Javelin also provides information about identity theft victimization in the United States. Since the survey methodology has remained relatively consistent since the initial survey in 2005, it allows for comparisons across time periods. Using the three categories originally defined by the FTC in 2003 and for persons age 18 and older, the survey measures identity theft (fraud) as: (a) existing card accounts—involving account numbers and/or the actual cards for existing credit and card-linked debit accounts; (b) existing non-card accounts—including existing checking and savings accounts and existing loans and insurance, telephone, and utilities accounts; and (c) new accounts and other frauds—new accounts or loans for committing theft, fraud, or other crimes using the victim’s personal information (Javelin 2014: 4).

According to the report, in 2013 13.1 million consumers suffered identity theft—the second highest number since Javelin began collecting data in 2005—at an estimated $18 billion in losses to consumers and businesses. The trends indicated by the data show that in 2006 there were 10.6 million victims of identity theft; this number dipped slightly in 2007 but rose to 13.9 million victims in 2009, the second highest year on record. Victimization decreased again in 2010 before rising to 13.1 million in 2013. Thus, from 2006 to 2013, identity theft victimization reported by US consumers rose nearly 24 percent (Javelin 2014).³ Existing card fraud was the most common type of victimization. The incidence of existing card fraud increased by 36 percent, affecting 5 percent of the population, to its highest level since the first survey was administered in 2006. Results also showed that the incidence of existing non-card fraud increased by a factor of 3. Although the number of fraud victims has risen since 2010, the total financial losses have declined. Total losses were $29 billion in the first year of the survey, peaking in 2009 at $32 billion before declining to $18 billion in 2013. Thus while the number of incidents of existing account fraud has risen, creating more victims, this form of identity fraud is less costly in monetary terms than nonexisting account fraud (Javelin 2014).

Data from outside the United States suggests that citizens of other countries also suffer high rates of identity theft victimization. Duffin, Keats, and Gill (2006) reported that one in four British residents is or knows a victim of identity fraud. CIFAS, the UK’s fraud prevention service, reports that over 100,000 victims of identity crime have been recorded by their organization each year since 2009 (CIFAS 2014). As of 2014, these data contained 460,000 records of confirmed frauds perpetrated or attempted against participating organizations, the majority (65 percent) of which are identity-related crimes. The data also show that existing account fraud against loans and credit cards increased significantly from 2012 to 2013 while fraud against bank accounts decreased (CIFAS 2013). A nationwide public opinion survey of Canadians found that 6.5 percent of participants reported that they had been victims of identity fraud, the majority of whom had experienced credit card fraud (Sproule and Archer 2010). The estimated out-of-pocket costs to Canadian consumers totaled over $150 million. The Canadian Anti-Fraud Centre, which collects data from victim reports, stated there were over 19,000 victims of identity fraud in 2013, up from 17,000 in 2011. Despite the increase in the number of victims, the monetary losses declined from $16 million in 2012 to 11 million in 2013 (Canadian Anti-Fraud Centre 2013).

As discussed previously, the clearance rates for identity theft are low, meaning that offenders are rarely identified, arrested, or prosecuted. Several obstacles make the investigation of identity theft cases and the likelihood of arrests difficult. Specifically, identity theft cases can be highly complex, and the offender may have committed the theft in a different jurisdiction than where the victim resides, making it difficult not only to identify an offender but to secure an arrest warrant. In addition, limited departmental resources may be directed toward the investigation of violent and drug-related offenses rather than identity thefts (Vieraitis, Copes, and Birch 2014). Creating the profile of the typical identity thief is also complicated by the lack of information from victims. According to the ITS, in most cases the victim simply does not know anything about the identity of the offender (BJS 2013). Victims whose personal information was used to open a new account or for other fraudulent purposes were more likely than victims of existing account misuse to know something about the offender, but the overall percentage of victims who knew anything about the person responsible was less than 9 percent (BJS 2013). Another potential source of information on offenders is from offenders themselves. However, to date, few have sought to gather such data (for exceptions see Copes and Vieraitis 2012; Duffin, Keats, and Gill 2006; Gill, 2007). The lack of information from victims (individuals and businesses), low reporting rates, and low clearance rates combined with the paucity of data from offenders contribute to the difficulty in understanding identity theft, particularly those who engage in it.

Information on the demographic characteristics of identity theft offenders is presented in the results of the analyses conducted by Allison et al., (2005), Gordon, Rebovich, Choo, and Gordon (2007), and Copes and Vieraitis (2012). Allison et al. and Gordon et al are based on law enforcement data while Copes and Vieraitis’ study is based on interviews with offenders. Gordon et al. examined closed US Secret Service cases with an identity theft component from 2000 to 2006. They found that most offenders (42.5 percent) were between the ages of 25 and 34 when the case was opened and another one-third were between 35 and 49 years of age. Similarly, Allison et al. found that offenders ranged in age from 28 to 49 with a mean age of 32. Both law enforcement based studies found similar patterns about race. Gordon et al. found that the majority of the offenders were black (54 percent), with whites and Hispanics accounting for 38 percent and 5 percent of offenders, respectively. Allison et al. found that the distribution of offenders was 69 percent black, 27 percent white, and less than 1 percent Hispanic or Asian. The two studies differed in terms of the gender of offenders. Gordon et al. found that nearly two-thirds of the offenders were male, whereas Allison et al. found that 63 percent of offenders were female.

Copes and Vieraitis’s (2012) sample of 59 identity thieves included 23 men and 36 women, which is consistent with the findings of Allison et al. (2005); however, this may be attributed to Copes and Vieraitis’ sampling strategy and the higher response rate from female participants. The racial makeup of their sample was 44 percent white, 53 percent black, and 3 percent other.⁴ Offenders in the sample ranged in age from 23 to 60 years with a mean age of 38 years. The majority of offenders were ages 25 to 34 (34 percent) or 35 to 44 (32 percent). Only 7 percent were ages 18 to 24 years, and 5 percent were older than 55 years. The age distribution matches closely with the larger sampling pool and that found by Gordon et al. (2007) and Allison, et al.

Both Copes and Vieraitis (2012) and Allison et al. (2005) included information on the offenders’ employment status. Most of the offenders in Copes and Vieraitis’s study had been employed at some point during their lifetimes. The diversity of jobs included day laborers, store clerks, nurses, and attorneys. At the time of their crimes, 52.5 percent were employed, and a total of 35.5 percent of the sample reported that their employment facilitated the identity thefts. The majority of those who used their jobs to carry out their crimes committed mortgage fraud. The results from Allison et al. indicated that 47 percent were employed.

Little is known about the degree to which identity thieves specialize in their offenses. Prior arrest patterns indicated that a large portion of the offenders interviewed by Copes and Vieraitis (2012) had engaged in various types of offenses, including drug, property, and violent crimes. Yet the majority of them claimed that they committed only identity thefts or comparable frauds (e.g., check fraud). In total, 63 percent of the offenders reported prior arrests, and most were arrested for financial fraud or identity theft (44 percent), but drug use/sales (19 percent) and property crimes (22 percent) were also relatively common. This finding is consistent with that of Gordon et al. (2007), who found that while the majority of defendants had no prior arrests, those who did have criminal histories tended to commit fraud and theft related offenses.

Copes and Vieraitis’ (2012) interviews with identity thieves yielded information that helps provide a richer and more detailed profile of the persons who commit this crime. Through interviews with offenders, they show that identity thieves are a heterogeneous group. Their family backgrounds, educational attainments, work histories, and criminal histories run the gamut from poverty to wealth, less than a high school education to graduate degrees, and no prior arrests to incarcerations for everything from fraud to drugs. Some are embedded in “street life” and resemble the profile of a typical street offender, while others live lives similar to those of the conventional middle-class citizen and share characteristics in common with middle-class fraudsters or white-collar offenders. Copes and Vieraitis suggest that it is difficult to create a profile of identity thieves because the crime may be more “democratic” than most other types of crimes (Copes and Vieraitis 2012). This claim is also supported by recent research from the National Gang Intelligence Center (2013), which found that gangs are increasingly engaging in more sophisticated criminal operations that include identity theft and related frauds such as credit card fraud, mortgage fraud, counterfeiting, and bank fraud.

The data on identity theft victims is more substantial than the data available for offenders, yet difficulties still emerge when trying to establish the correlates of victimization. First, patterns emerging from victimization data are affected by the operational definition of identity theft employed by researchers. For example, including existing credit card fraud as a type of identity theft increases not only the victimization rate but some research suggests that it alters the demographic profile of victims (e.g., Copes, Kerley, Kane, and Huff 2010). However, recent findings from the NCVS show that across all types of identity theft, prevalence rates did not vary significantly by sex (BJS 2013). Second, victimization patterns are also difficult to establish if certain cases are less likely than others to be reported. Victimization surveys suggest that certain types of frauds (e.g., nonexisting account frauds) are more likely to be reported to law enforcement than others (e.g., existing account frauds), thus caution in drawing conclusions is warranted (e.g., BJS 2013).

Several studies examine the correlates of victimization including demographic and behavioral characteristics (Allison et al. 2005; Anderson 2006; BJS 2010, 2013; Kresse et al. 2007; Copes et al. 2010; Pontell, Brown, and Tosouni 2008; Holt and Bossler 2009). Overall, the results of several of studies indicate that a similar percentage of men and women are victims of identity theft each year; the lowest rate of victimization is among persons age 65 or older, while the majority of victims are in their mid-20s to mid-50s; and those with incomes greater than $75,000 are at higher risk than households in lower income brackets (Allison et al. 2005; Anderson 2006; BJS 2010, 2013; Kresse, Watland, and Lucki 2007). The most comprehensive and reliable picture of identity theft victims is provided by recent data from the ITS that show that persons age 16 to 17 have the lowest rates of victimization followed by persons ages 18 to 24 and 65 or older. The highest rates of victimization were found among persons age 35 to 49 (BJS 2013). Data on race/ethnicity and identity theft victimization show that households headed by white non-Hispanics and those reporting “two or more races” experienced higher rates of victimization than black non-Hispanics and Hispanics (BJS 2013).

In addition to demographic profiles, studies have suggested that people who engage in risky behaviors such as remote purchasing or Internet usage are more likely to be victims of identity theft (Holt and Bossler 2009; Copes et al. 2010). Although respondents in Copes et al.’s study reported that they rarely gave out personal information in response to a solicitation, victims of existing account fraud and new credit card fraud were more likely to do so than victims of existing credit card fraud. Despite cautions from law enforcement and consumer groups, victims of existing account fraud and new credit card fraud were less likely to check the backgrounds of people they do business with than were victims of existing credit card fraud (Copes et al. 2010).

Data limitations prohibit us from knowing the true extent of identity theft victimization, and this may be particularly acute for certain types of victims. For example, child identity theft, which occurs when an offender uses the identifying information of a person under the age of 18 for personal gain, may be severely underreported. Available data suggests that this form of identity theft is relatively rare. Data from the FTC indicate that 6 percent of all cases reported to the agency involved victims who were 19 years old or younger (FTC 2014), however, it is impossible to know the extent since it may take years (e.g., until the child turns 16 and applies for a driver’s license) to discover the theft. Some research suggests that the perpetrator of child identity theft is typically a family member who has easy access to personal information. According to Pontell, Brown, and Tosouni (2008), over three-quarters of those who stole the identities of victims under the age of 18 were their parents. Similarly, Identity Theft Resource Center survey data indicated that in child identity theft cases, 69 percent of the offenders were one or both parents or a stepparent and 54 percent of these cases began when the victim was younger than the age of five (Identity Theft Resource Center 2007).

Other research has examined the geographic distribution of identity theft victimization (Lane and Sui 2010). In an analysis of FTC data from 2002 to 2006, Lane and Sui found regional trends for identity theft demonstrating that higher reporting rates were found in the southwestern states, with lower rates in New England and the northern plains states. The researchers note that these regional patterns mirror the trends for traditional larceny and theft crimes. They also found that following hurricane Katrina there was an eastern shift of identity theft in the form of government document and benefits fraud (Lane and Sui 2010). In addition, specific types of identity theft were more prevalent in some regions that others. For example, employment fraud, government document fraud, and loan fraud were concentrated in states with higher Hispanic populations.

Identity thieves have developed a number of techniques and strategies using low-tech (offline) and high-tech (online) methods to steal victims’ personally identifying information and convert the information to cash or goods (Copes and Vieraitis 2012). Offenders obtain this information from wallets, purses, homes, cars, offices, and businesses or institutions that maintain customer, employee, patient, or student records. Social security numbers provide instant access to a person’s personal information and are widely used for identification and account numbers by insurance companies, universities, cable television companies, military identification, and banks. The thief may steal a wallet or purse; work at a job that affords him or her access to credit records; purchase the information from someone (e.g., employees who have access to credit reporting databases commonly available in auto dealerships, realtor’s offices, banks, and other businesses that approve loans); or find victims by stealing mail, sorting through the trash, or searching the Internet. Some offenders create elaborate schemes to dupe victims into revealing their personal information both on- and offline. Offenders may hack into businesses that maintain information legitimately or through the use of phishing, which involves spam email campaigns that solicit information from would-be victims. Underground websites and forums operate that sell stolen information (e.g., credit card and bank account numbers) for relatively cheap prices (Holt and Lampke 2010). Other technology-based approaches include pharming (hackers install malicious code to redirect victims to fraudulent websites) and smishing (thieves use text messages to lure consumers to websites or phone numbers).

The focus here is on the low-tech methods used by thieves, as our review relies on the research findings of offender-based studies, and the information on criminals who use online methods is extremely limited. Information on methods used by offenders also comes from victimization surveys, (FTC, NCVS, and others), but the caveats discussed previously apply. Nonetheless, we give a brief overview of the findings based on these data before turning to the findings of qualitative research based on interviews with offenders.⁵

The FTC (2009) data provide some information on the strategies used by offenders to steal victims’ information. Based on data from the 43 percent who knew how their information was stolen, the report suggests that offenders obtain information from people they know personally (16 percent), during a financial transaction (7 percent), from a stolen wallet or purse (5 percent), from a company that maintained their information (5 percent), or through stolen mail (2 percent). Of respondents to the 2012 ITS, only 32 percent of victims knew how their information was obtained. Victims who experienced more than one type of identity theft during a single incident were most likely to know how this was accomplished (46.5 percent), whereas victims of existing credit card fraud were least likely to know this information (24 percent). Of the victims who knew how the theft occurred, most (43 percent) indicated that their information was stolen during a purchase or other transaction (BJS 2013). Early reports from the NCVS provide a more detailed breakdown of the methods identified by victims (BJS 2010). In 2009, 39 percent of respondents knew how their personal information was obtained. Of these respondents, nearly 30 percent reported that their identity was stolen during a purchase or other transaction, 20 percent said the information was lost or stolen from a wallet or checkbook, and 14 percent indicated the information was stolen from personnel or other files at an office. High-tech methods were less likely to be reported, with 4 percent of respondents indicating their computers were hacked, that they responded to spam email or phone call, or that their data were exposed on the Internet.

Offenders can use information to acquire or produce additional identity-related documents, such as driver’s licenses or state identification cards, in an attempt to gain cash or other goods. Offenders apply for credit cards in the victims’ names (including major credit cards and department store credit cards), open new bank accounts and deposit counterfeit checks, withdraw money from existing bank accounts, apply for loans, open utility or phone accounts, and apply for public assistance programs.

According to the FTC, the most common type of identity theft in 2006 was credit card fraud (25 percent), followed by “other” identity theft (24 percent), phone or utilities fraud (16 percent), bank fraud (16 percent), employment-related fraud (14 percent), government documents or benefits fraud (10 percent), and loan fraud (5 percent; Synovate 2007).⁶ Data from the 2012 ITS indicate the most common type was the unauthorized misuse or attempted misuse of an existing account. Eighty-five percent of victims experienced this type of theft; more specifically, 40 percent involved existing credit card accounts, 37 percent bank accounts, and 7 percent other accounts such as existing, telephone, online, or insurance accounts (BJS 2013). While much of the official data (i.e., FTC and BJS) suggest that existing credit card fraud is the most common method of identity theft perpetrated by offenders, little detail is given on the specific methods employed. We now turn to offender-based data to provide a more detailed picture of the methods used to convert information.

Research on identity thieves provides more details on the specific techniques that offenders use to steal and convert personal information (Copes and Vieraitis 2012).⁷ Participants in Copes and Vieraitis’ study revealed techniques used by organized rings in which a person is planted as an employee in a mortgage lender’s office, doctor’s office, or human resources department to access information more easily. Similarly, these groups will simply bribe insiders such as employees of banks, car dealerships, government agencies, and hospitals to gain access to identifying information. Offenders report buying information from other offenders such as prostitutes, burglars, drug addicts, and other street hustlers. Some offenders engage in sophisticated ploys to induce victims to reveal personal information such as setting up fake employment sites or convincing a friend or relative to help the offender out of a difficult financial situation.

Most offenders use the information to order new credit cards, but they also use it to induce the credit card agency to issue a duplicate card on an existing account. They use credit cards to buy merchandise for their own personal use, to resell the merchandise to friends and/or acquaintances, or to return the merchandise for cash. Offenders also use the checks that are routinely sent to credit card holders to deposit in the victim’s account and then withdraw cash or open new accounts. Offenders have been known to apply for credit cards at department and home improvement stores. Other common strategies for converting information into cash and/or goods includes producing counterfeit checks, which offenders use to obtain cash at grocery stores, purchase merchandise and pay bills, open new bank accounts in order to deposit checks or withdraw money from an existing account, and apply for and receive loans (Copes and Vieraitis 2012).

Identity thieves rely on a number of methods to carry out their crimes. In addition, as the profiles at the beginning of this essay indicate, some thieves do so by working alone, while others are involved in teams both small and large. The participants in Copes and Vieraitis’ (2012) study reported that they relied on a number of organizational schemes to carry out their acquisition of personal information and the conversion of that information into cash and/or goods. Three primary organization schemes emerged from their interviews with offenders, including loners, street level identity theft (SLIT) rings, and occupational teams.

Loners reported typically using the personal information of others to open credit card accounts or secure bank loans. Many of these offenders claimed that they tried to make payments on the accounts to prevent victims from discovering the fraud, but eventually repayment became impossible. In some cases they used information available to them for their place of work, and in some cases they used the information of family members, including their own children, or friends. In one case, a woman employed at a mortgage company used client information to obtain personal bank loans. In another, the offender used the personal information of deceased family members to open bank accounts, get credit cards, and apply for a HUD loan. One thief used the personal information of her children and mother to take out bank loans. Other thieves used more sophisticated and elaborate schemes to dupe strangers into revealing their information. For example, one set up fake employment sites with applicants willingly supplying all their personal information, and another used obituaries to access information and file fraudulent Medicare claims.

The majority of the identity thieves interviewed by Copes and Vieraitis (2012) operated in teams characterized by an elaborate division of labor in which members performed different roles depending on their knowledge and skills. There was considerable diversity among this group that necessitated the division of teams into two types: SLIT rings and occupational teams. SLIT rings and occupational teams share many similarities, but they differ noticeably in the methods they use to steal and convert information.

SLIT rings used numerous methods to acquire and convert information. Some rings relied on an individual employed by a company that possessed legitimate access to names and personally identifying information of clients to obtain information. Others targeted residential and commercial mailboxes to steal checkbooks, bank statements, or medical bills. For most SLIT rings in Copes and Vieraitis’ (2012) sample, the person supplying the information was a street-level criminal—typically engaged in drug sales, robbery, burglary, or other street crimes—who sold the information to the ringleader. This information included drivers’ licenses and social security cards. Some rings obtained information from willing acquaintances, friends, and family members in exchange for a fee. The “victim” would then wait a while before reporting the “theft.” In one case involving a well-known gang, the ringleader paid someone to purchase birth certificates from drug-addicted mothers. The birth certificates of US children were used to gain passports so the children of gang members and their associates could enter the country “legally.”

After obtaining victims’ information, offenders applied for credit cards in the victims’ names, opened new bank accounts and deposited counterfeit checks, withdrew money from existing bank accounts, applied for loans, or opened utility or telephone accounts. Because such transactions all require some form of official identification, teams recruited employees of state or federal agencies with access to social security cards or birth certificates, which could then be used to order identification cards. While thieves could use fraudulent information to obtain identification cards through conventional channels, it also was possible to manufacture false cards using rogue employees of state departments of motor vehicles or through street hustlers, who had managed to obtain the necessary equipment. For SLIT rings, the most common strategy for converting information into cash was by applying for credit cards, both from major card issuers and individual retailers. Offenders could use a stolen identity to order new credit cards or to issue a duplicate card on an existing account. With these cards in hand, they could buy merchandise for their own personal use, for resale to friends and acquaintances, or to return for cash. Another common strategy for converting information into cash or goods involved producing counterfeit checks. Offenders typically used such checks to open new bank accounts or deposited them in the victim’s existing account before withdrawing cash. Counterfeit checks also could be cashed at grocery stores or be used to purchase merchandise and pay bills.

Members of occupational teams used their legitimate place of employment to steal information and convert it to goods or cash, acting almost exclusively with fellow employees to commit their crimes. In mortgage fraud schemes, the majority of players were employed at the same company or at companies that worked together to process home loans. In cases involving workers at a state department of motor vehicles, an outside source provided information to employees, who then issued state identification cards or driver’s licenses that were subsequently used to carry out identity thefts. The thefts committed by occupational teams typically involved theft on a larger scale, characterized by numerous victims and higher dollar losses than those committed by SLIT rings or loners.

It is clear that identity theft affects a sizable portion of the population, is costly in both time and money, and is difficult to detect and prosecute. To understand the crime of identity theft and thus increase the likelihood that policymakers and law enforcement officials are effective in reducing it, there is a need for continued research. The first step is to address the problem of data collection. Currently, information on identity theft is collected and housed in multiple databases, including both private and government agencies. One incident may be reported to local, state, and federal law enforcement agencies, credit reporting agencies, credit card companies, financial institutions, telecommunication companies, and others. This makes the collection and sharing of information among agencies difficult. It also creates significant barriers to developing reliable estimates of the extent of identity theft, patterns in victimization and offending, and the true costs associated with this crime. There is also little data on the processing of identity thieves including clearance rates, conviction rates, and sentencing. We need more systematic data collection from agencies responsible for personal information; agencies that use personal information in legitimate business practices; law enforcement agencies at local, state, and federal levels; victims; and those who know most about how and why identity theft occurs—the identity thieves themselves. Although the focus here has been on offender-based research, we do not deny the critical roles that individuals, businesses, and government agencies play in the development of prevention strategies. Increasing the effort and risk associated with stealing identifying information and converting it into cash or goods requires diligence on the part of individuals as well as businesses. Moreover, understanding how individuals and businesses protect and regulate the use of personally identifying information can improve efforts to control identity theft and fraud. Gaining information on who these offenders are and how they perpetrate their crimes can also help inform policies designed to decrease identity theft. As Collins (2006: 181) notes, “[C]omputers do not steal identities… people do.”