Person holding various forms of identification, with a laptop showing access granted to personal identifying information.

How do scammers steal identities? The complete guide to identity theft methods in 2026

Identity theft has reached unprecedented levels in 2026, with scammers employing increasingly sophisticated methods to steal personal information. Understanding exactly how these criminals operate is crucial for protecting yourself against their tactics. This comprehensive guide examines the most common and emerging methods scammers use to steal identities, backed by the latest data and expert analysis.

According to the Federal Trade Commission, identity theft reports remained at historically elevated levels in 2025, with FTC Consumer Sentinel data showing more than 1 million identity theft reports annually and credit card fraud continuing to lead all identity theft categories.1 

Modern identity thieves no longer rely solely on traditional methods like mail theft or dumpster diving. Today’s criminals leverage advanced technology, social engineering, and AI-powered tools to steal personal information on an industrial scale. Combined identity fraud and scam losses totaled $38 billion in 2025, affecting 36 million victims.2

What is identity theft?

Definition

Identity theft occurs when someone obtains and uses another person’s personal information without permission to commit fraud or other crimes. This stolen information can include Social Security numbers, credit card details, bank account information, login credentials, medical records, and other personally identifiable information (PII).

The process typically unfolds in two stages: first, criminals acquire the personal information (the theft), then they use that information to commit fraud (the crime). Understanding both stages helps explain why identity theft has become such a pervasive threat in our digital age.

Unlike other crimes that target physical property, identity theft exploits the trust-based systems that underpin modern financial and digital services. When criminals successfully impersonate victims, they can access bank accounts, open new credit lines, file fraudulent tax returns, and even receive medical care under another person’s name.

Infographic on the 8 major types of identity theft, including financial, medical, government, employment, residential, student loan, online account takeover, and child identity theft

The nine most common ways scammers steal identities

1. Data breaches and corporate hacks

Data breaches represent the single largest source of stolen personal information in 2026. When hackers infiltrate company databases, they can steal millions of records containing data points such as names, Social Security numbers, addresses, phone numbers, and financial account details.

The scope of this threat is staggering. The Identity Theft Resource Center reported 3,322 data compromises in 2025, a record high and 5% increase from 2024. The US recorded 1,732 incidents in just the first half of 2025, leading to over 165.7 million breach notifications.3

Recent major breaches demonstrate the scale of exposure. In 2025, researchers discovered approximately 16 billion login credentials compiled from malware logs, phishing kits, and prior data breaches.4 Healthcare provider Yale New Haven Health System experienced a breach affecting roughly 5.6 million patients. Financial services company 700Credit suffered a breach between July and October 2025 that reportedly affected more than 5.8 million individuals.5

Once stolen in a breach, personal information typically appears for sale on dark web marketplaces within hours or days. Criminals package and sell this data by type and value, with complete identity packages containing names, addresses, birthdates, and financial details selling for as little as $16-$228, depending on the victim’s profile.

The breached data enables various forms of fraud. Criminals use Social Security numbers to open new credit accounts, file fraudulent tax returns, or apply for government benefits. Email addresses and passwords provide access to existing accounts, while phone numbers enable SIM swapping attacks.

Identity monitoring services can alert you when your personal information appears in breach databases or dark web marketplaces, providing early warning when your data has been compromised.

2. Phishing and social engineering

Phishing attacks trick victims into voluntarily providing personal information by impersonating trusted organizations. These attacks have evolved far beyond obvious spam emails to become highly sophisticated social engineering campaigns.

The Anti-Phishing Working Group tracked 3.8 million phishing attacks globally in 2025, equivalent to roughly 10,400 per day.6 However, phishing emails are sent at much higher volumes, with approximately 3.4 billion phishing and spam emails sent daily worldwide. The FBI IC3 received an average of 525 phishing complaints per day from US victims in 2025.

Modern phishing campaigns leverage AI to create personalized attacks that are increasingly difficult to detect. AI-supported phishing campaigns represent more than 80% of observed social engineering activity worldwide by early 2025.7 These AI-generated messages can perfectly mimic the writing style and format of legitimate organizations while incorporating personal details about the target to increase credibility.

Common phishing tactics include:

Email phishing: Fraudulent messages claiming to be from banks, credit card companies, or popular services like PayPal, Amazon, or Microsoft. These emails request login credentials, Social Security numbers, or credit card information through fake websites that look identical to legitimate sites.

Spear phishing: Targeted attacks that use specific information about the victim, their employer, or their contacts to create highly convincing messages. Criminals research targets through social media and public records to craft personalized attacks.

Smishing (SMS phishing): Text messages containing malicious links or requesting personal information. Mobile devices present smaller screens that make URL inspection difficult, increasing click rates.

Vishing (voice phishing): Phone calls where criminals impersonate bank representatives, government officials, or tech support agents. Voice fraud has industrialized, with vishing growing 442% between H1 and H2 2024.8 AI voice cloning technology now makes the impersonation of known individuals straightforward and convincing.

Business Email Compromise (BEC): Sophisticated attacks targeting businesses where criminals impersonate executives or vendors to manipulate employees into wiring funds or sharing sensitive information. BEC attacks resulted in over $2.7 billion in losses reported to the FBI in 2025.9

The financial impact of successful phishing attacks is severe. IBM’s 2025 Cost of a Data Breach Report puts the average phishing-caused breach at $4.88 million.10

3. Social media exploitation

Social media platforms have become treasure troves of personal information for identity thieves. Users routinely share details that criminals can piece together to build complete identity profiles or answer security questions.

Information commonly harvested from social media includes birth dates, pet names, school information, workplace details, family member names, travel plans, and location check-ins. Criminals use this data to answer security questions, impersonate victims, or craft convincing phishing attacks.

35%

Social media account takeovers represent the most common type of fraud reported in 2025, accounting for 35% of all fraud incidents.11

Once criminals gain access to social media accounts, they can impersonate victims to defraud friends and family, access linked accounts through password reset emails, or gather additional personal information from private messages and posts.

The rise of AI has amplified social media risks. Criminals use AI tools to analyze vast amounts of social media data to identify potential targets and gather intelligence for personalized attacks. Deepfake technology, which increased 4x from 2023 to 2024, allows criminals to create convincing fake videos or audio recordings using photos and voice samples from social media.12

4. AI-powered identity theft

Artificial intelligence has revolutionized identity theft by automating and scaling criminal operations while making attacks more convincing. AI tools enable criminals to process vast amounts of data, generate personalized attacks, and create sophisticated impersonations.

+2,137%

Fraud attempts involving AI deepfakes surged 2,137% in the past three years, according to cybersecurity research.13

Criminals use AI to create fake identities, generate convincing phishing emails, clone voices for vishing attacks, and produce deepfake videos for business email compromise schemes.

The FBI Internet Crime Complaint Center reported 22,000+ AI-related complaints and $893 million in losses in 2025.14 However, experts believe AI involvement is significantly undercounted because most victims don’t recognize AI-generated content.

AI enables several new attack vectors:

Voice cloning: Criminals create convincing audio impersonations using short voice samples from phone calls, voicemails, or social media videos. These cloned voices are used in vishing attacks to impersonate family members, executives, or trusted contacts.

Deepfake videos: Sophisticated video forgeries that show people saying or doing things they never did. These are used in business email compromise attacks to verify fraudulent instructions or in romance scams to build trust with victims.

Automated spear phishing: AI analyzes social media profiles, public records, and previous data breaches to generate highly personalized phishing emails that reference specific details about targets’ lives, work, or interests.

Synthetic identity creation: AI helps criminals combine real and fake information to create believable synthetic identities that can pass automated verification systems.

5. Mail and document theft

Despite the digital age, physical mail remains a significant source of personal information for identity thieves. Criminals target mailboxes, intercept deliveries, and steal documents containing sensitive data.

Mail theft provides access to bank statements, credit card offers, tax documents, insurance forms, medical bills, and government correspondence. This information contains account numbers, Social Security numbers, dates of birth, and other details needed for identity theft.

Common mail theft methods include:

Mailbox fishing: Using devices to retrieve mail from residential and business mailboxes, especially targeting the first few days of each month when bills and statements arrive.

Address changes: Filing fraudulent change-of-address forms to redirect victims’ mail to addresses controlled by criminals.

Package theft: Stealing delivered packages that may contain new credit cards, smartphones, or documents with personal information.

Document interception: Targeting tax returns, W-2 forms, and other documents containing comprehensive personal and financial information.

Pre-approved credit offers: Criminals complete and submit pre-approved credit card applications stolen from victims’ mailboxes.

6. SIM swapping and mobile phone hijacking

SIM swapping involves criminals convincing mobile carriers to transfer a victim’s phone number to a device they control. Once successful, criminals receive text messages and calls intended for the victim, including two-factor authentication codes needed to access accounts.

This attack method has become increasingly sophisticated as criminals employ social engineering tactics against carrier employees or use insider access at mobile phone stores. The process typically begins with criminals gathering personal information about targets through social media, data breaches, or phishing attacks.

Once criminals control the victim’s phone number, they can:

Reset account passwords: Use SMS-based password reset links to gain access to email, banking, and social media accounts.

Bypass two-factor authentication: Receive SMS verification codes needed to access secured accounts.

Access cryptocurrency wallets: Many crypto exchanges use SMS verification, making SIM swap attacks particularly lucrative for criminals targeting high-value accounts.

Intercept sensitive communications: Read text messages containing personal or financial information.

The financial impact can be devastating. Cryptocurrency users have lost millions in SIM swap attacks, and traditional financial accounts are equally vulnerable when protected only by SMS-based security.

7. Credential stuffing and account takeover

Credential stuffing attacks exploit the common practice of password reuse across multiple accounts. When criminals obtain username and password combinations from data breaches, they use automated tools to test these credentials across thousands of websites and services.

The success rate of these attacks is surprisingly high because many people reuse passwords. Security researchers estimate that 80% of compromised email accounts eventually appear for sale on dark web marketplaces, and criminals systematically test these credentials against popular services.15

The credential stuffing process works as follows:

Data acquisition: Criminals obtain login credentials from data breaches, either by conducting their own attacks or purchasing data from other criminals on dark web marketplaces.

Automated testing: Using specialized software, criminals test millions of username/password combinations against popular websites within hours.

Account takeover: Successfully accessed accounts are either immediately exploited or sold to other criminals who specialize in specific types of fraud.

Information harvesting: Once inside accounts, criminals gather additional personal information, payment methods, and linked accounts to expand their access.

Popular targets for credential stuffing include email services, social media platforms, streaming services, e-commerce sites, and financial services. Even seemingly low-value accounts can provide access to more sensitive services through linked accounts or password reset emails.

8. Synthetic identity fraud

Synthetic identity fraud represents one of the fastest-growing and most difficult-to-detect forms of identity theft. Instead of stealing a complete identity, criminals combine real and fabricated information to create new identities that appear legitimate to automated verification systems.

This type of fraud is particularly challenging because there’s often no immediate victim to report the crime, allowing synthetic identities to operate undetected for extended periods.

The synthetic identity creation process typically involves:

Real SSN acquisition: Criminals obtain legitimate Social Security numbers from children, deceased individuals, or adults with limited credit histories through data breaches or government record searches.

Fake personal details: The real SSN is combined with fabricated names, addresses, birthdates, and phone numbers.

Credit profile building: Criminals gradually build credit histories for synthetic identities by opening small accounts and making payments over months or years.

Credit expansion: Once established, criminals apply for larger credit lines, loans, and services using the synthetic identity.

Bust-out phase: Finally, criminals maximize credit utilization and disappear, leaving lenders with losses.

Children and elderly individuals with thin credit files are common targets for SSN theft because their numbers are less likely to trigger immediate fraud alerts. The crime often goes undetected for years until the legitimate SSN holder applies for credit or employment.

9. Employment and tax identity theft

Employment identity theft occurs when criminals use stolen Social Security numbers to obtain jobs, often targeting individuals who are unlikely to immediately discover the fraud, such as children, elderly individuals, or people not actively seeking employment.

This type of fraud can have long-lasting consequences for victims:

Tax complications: When criminals work using stolen SSNs, their wages are reported to the IRS under the victim’s number. This can result in unexpected tax bills, complications with benefit programs, and difficulty filing legitimate tax returns.

Credit implications: Some employers report income information to credit bureaus, potentially affecting the victim’s credit profile with unknown employment history.

Government benefit issues: Fraudulent employment can affect eligibility for Social Security, disability, or unemployment benefits.

Background check problems: Victims may face complications with background checks showing employment at companies they never worked for.

Tax identity theft specifically involves criminals filing fraudulent tax returns using stolen personal information to claim illegitimate refunds. Criminals typically file these fraudulent returns early in tax season, before legitimate taxpayers file their returns, to avoid immediate detection.

Employment identity theft generated 37,556 reports in 2024, representing a 20% year-over-year increase.16 This category causes disproportionate damage because victims often don’t discover the fraud until they file their own tax returns or apply for government benefits.

How stolen information is used

Once criminals obtain personal information through any of these methods, they use it in various ways to commit fraud and financial crimes. Understanding these uses helps explain why identity theft prevention and early detection are so critical.

Financial fraud

Credit card fraud: Criminals use stolen card numbers to make unauthorized purchases or open new credit accounts. Credit card fraud topped all identity theft types with 449,076 reports in 2024.17

Bank account takeover: Using stolen banking credentials, criminals transfer funds, make unauthorized purchases, or change account information to prevent victim access.

Loan and lease fraud: Criminals apply for auto loans, personal loans, student loans, or apartment leases using stolen identities. This category generated 176,409 complaints in 2024 and shows accelerating growth in 2025.18

Government benefit fraud

Tax fraud: Filing fraudulent tax returns to claim refunds using stolen Social Security numbers and personal information.

Social Security fraud: Applying for Social Security benefits using stolen identities or redirecting existing benefits to accounts controlled by criminals.

Unemployment fraud: Claiming unemployment benefits in the victim’s name, particularly common during economic downturns.

Medical identity theft

Insurance fraud: Using stolen identities to receive medical care, prescription drugs, or medical devices covered by the victim’s insurance.

Medical record corruption: Fraudulent medical care creates false entries in victims’ medical records, potentially affecting future care and insurance coverage.

Medical identity theft accounted for 10,116 reports in 2024, a smaller category but one that can have serious health consequences for victims.19

Account takeover fraud

Email account takeover: Criminals gain access to email accounts to conduct business email compromise attacks, access linked accounts, or intercept sensitive communications.

Social media impersonation: Taking over social media accounts to defraud friends and family members or gather additional personal information.

Cryptocurrency theft: Using compromised accounts to steal digital assets or redirect cryptocurrency transactions.

Synthetic identity monetization

Credit maximization: Building synthetic identities over time to qualify for high-value credit products before disappearing.

Account farming: Creating multiple synthetic identities to establish numerous fraudulent accounts across different financial institutions.

Identity resale: Selling established synthetic identities to other criminals who use them for various fraudulent purposes.

Identity theft protection strategies

While you cannot eliminate the chance of becoming an identity theft target, you can significantly reduce your risk and limit the damage if your information is compromised.

Immediate protective measures

Freeze your credit reports: Place security freezes with all three major credit bureaus (Equifax, Experian, TransUnion) to prevent new accounts from being opened in your name. This is free and represents the most effective protection against new account fraud.

Enable account alerts: Set up notifications on all bank and credit card accounts to receive immediate alerts for transactions, login attempts, and account changes.

Use unique, strong passwords: Never reuse passwords across multiple accounts. Consider using a password manager to generate and store complex, unique passwords for each account.

Enable multi-factor authentication: Add extra security layers to important accounts, especially email and financial services. Use authenticator apps or hardware tokens rather than SMS when possible, as text messages can be intercepted through SIM swapping.

Monitor your accounts regularly: Check bank and credit card statements frequently for unauthorized transactions. Review credit reports annually and consider more frequent monitoring if you’re at higher risk.

Advanced protection techniques

Use passkeys: Take advantage of passkey technology when available. Passkeys use fingerprints, face scans, or device PINs instead of passwords and are highly resistant to phishing and data breaches.

Implement identity monitoring: Services that scan dark web marketplaces and breach databases for your personal information can provide early warnings when your data appears for sale.

Secure your mail: Use a locked mailbox, retrieve mail promptly, and consider a P.O. Box for sensitive documents. Opt out of pre-approved credit offers to reduce mail-based identity theft risks.

Limit social media sharing: Avoid posting birth dates, location information, travel plans, or other details that could be used for identity theft or social engineering attacks.

Regular security checkups: Periodically review your online accounts, social media privacy settings, and financial statements to identify potential signs of fraud.

Emergency response planning

Know the warning signs: Familiarize yourself with common signs of identity theft, including unfamiliar accounts on credit reports, unexpected emails about password resets, bills for services you never used, or rejection of tax returns due to duplicate filings.

Prepare response procedures: Know how to place fraud alerts, file police reports, and contact financial institutions if you become a victim. The FTC’s IdentityTheft.gov provides personalized recovery plans.

Document everything: Keep records of all communications with financial institutions, credit bureaus, and law enforcement if you become an identity theft victim.

Consider identity theft insurance: Comprehensive protection services combine monitoring, insurance, and restoration assistance to address identity theft quickly when it occurs.

OmniWatch’s identity protection services include comprehensive monitoring, real-time alerts, and plans with up to $4 million in identity theft insurance to help you respond quickly when threats emerge.

The future of identity theft

Several trends will shape identity theft methods in the coming years:

Artificial intelligence expansion

AI tools will continue making identity theft more sophisticated and harder to detect. Expect improvements in deepfake technology, voice cloning, and personalized social engineering attacks. However, AI will also enhance detection and prevention capabilities for security providers.

Increased targeting of digital services

As more services move online, criminals will focus on digital platforms, cryptocurrency exchanges, and cloud-based services. The growth of remote work and digital banking creates new attack surfaces for identity thieves.

Regulatory responses

Government agencies are developing new regulations and enforcement mechanisms to combat identity theft. However, criminals adapt quickly to new protections, requiring constant evolution in security measures.

Enhanced authentication methods

Biometric authentication, behavioral analysis, and advanced multi-factor authentication will become more common, making traditional password-based attacks less effective.

Frequently asked questions

How do identity thieves choose their targets?

Identity thieves often target individuals based on opportunity rather than specific selection criteria. Common factors include data breach exposure, social media oversharing, poor security practices, and high-value assets like good credit scores or substantial financial accounts. Children and elderly individuals are frequent targets because their identity theft often goes undetected longer.

Can identity theft happen even if I'm careful online?

Yes, identity theft can occur even when you practice good security habits. Data breaches at companies you do business with, mail theft, social engineering attacks against organizations you trust, and sophisticated phishing campaigns can all expose your information, regardless of your personal security practices. This is why comprehensive monitoring and rapid response capabilities are essential.

How quickly do criminals use stolen identity information?

The timeline varies significantly depending on the theft method and criminal goals. Credit card information may be used within hours of theft, while comprehensive identity packages might be developed over months or years. Some criminals immediately sell stolen data to others who specialize in specific types of fraud, meaning your information could be used by multiple criminal groups.

What should I do if I suspect my identity has been stolen?

Act immediately to minimize damage. Place fraud alerts on your credit reports, contact your financial institutions to report potential fraud, change passwords on important accounts, file a report with the FTC through IdentityTheft.gov, and consider filing a police report. Document all communications and keep detailed records of your response efforts.

How effective is credit monitoring in preventing identity theft?

Credit monitoring can quickly alert you to new accounts or credit inquiries but cannot prevent identity theft from occurring. It's most valuable for detecting financial identity theft after it happens. Comprehensive identity monitoring that includes dark web scanning and broader personal information tracking provides earlier warning of potential threats.

Why don't law enforcement agencies stop identity theft?

Identity theft presents unique challenges for law enforcement, including jurisdiction issues when criminals operate across state or national borders, the technical complexity of investigating cyber crimes, resource limitations, and the difficulty of identifying perpetrators who use anonymization tools. While law enforcement has had notable successes, the scale and sophistication of modern identity theft operations often outpace traditional investigative methods.


This guide is published by OmniWatch. Follow OmniWatch on Facebook for ongoing guidance on identity protection, digital safety, and scam awareness.

¹ Federal Trade Commission, The Big View: All Sentinel Reports, 2026

² Bits from Bytes, Identity Theft Statistics 2026: Cases, Losses & Trends, 2026

3 CNBC, Data breaches climbed to a record high in 2025, 2026

4 Secureframe, Biggest Data Breaches of 2025: Common Attack Vectors, 2025

5 Tech.co, Data Breaches That Have Happened This Year (2026 Update), 2026

6 Axis Intelligence, Phishing Statistics 2026: Email, SMS & Social Attacks, 2026

7 Stingrai, Social Engineering Statistics 2026, 2026

8 Axis Intelligence, Phishing Statistics 2026: Email, SMS & Social Attacks, 2026

9 Axis Intelligence, Phishing Statistics 2026: Email, SMS & Social Attacks, 2026

10 Axis Intelligence, Phishing Statistics 2026: Email, SMS & Social Attacks, 2026

11 Regula Forensics, Identity Fraud by Numbers: Trends, Insights & Threats, 2025

12 Regula Forensics, Identity Fraud by Numbers: Trends, Insights & Threats, 2025

13 Signicat, Fraud Attempts with Deepfakes Have Increased by 2,137% Over the Last Three Years, 2025

14 RocketX, Crypto Social Engineering Scams: 2026 Protection Guide, 2026

15 Dexpose, What Is the Dark Web? (Trends, Statistics, & Risks 2026), 2026

16 Bits from Bytes, Identity Theft Statistics 2026: Cases, Losses & Trends, 2026

17 SQ Magazine, Identity Theft Statistics 2026: Key Fraud Data and Trends, 2026

18 OmniWatch, 2025 Identity Theft Statistics: A Record Year For Fraud, 2026

19 SQ Magazine, Identity Theft Statistics 2026: Key Fraud Data and Trends, 2026

Protection for identity theft, scams, and losses banks won't cover

View plans
OmniWatch app showing alerts and scan features