Identity Theft Protection

How does identity theft happen? Every method explained

Rianna Last | Identity Safety Writer
Rianna Last | Identity Safety Writer Author
Updated on 12 min read

Identity theft does not happen in a single, uniform way. Criminals use a wide range of techniques, some technologically sophisticated and others remarkably low-tech, to acquire the personal information they need to commit fraud. What most methods share is the same goal: obtaining enough identifying data to impersonate a victim, open accounts, access existing funds, or sell the information to other criminals who will.

Understanding how identity theft happens matters because different threats call for different defenses. A person who knows that phishing is the most common initial contact method will handle suspicious emails differently than someone who assumes theft only happens through stolen wallets. This guide breaks down every major method used by identity thieves, explains how each works, and identifies what personal information each method typically targets.

For a broader overview of what identity theft is and what forms it takes, see the OmniWatch guide to identity theft.

Quick reference

How identity theft happens

The most common ways identity thieves obtain personal information include:

  • Phishing, smishing, and vishing
  • Data breaches at companies and institutions
  • Social engineering and impersonation
  • Dark web purchases of stolen data
  • Mail theft and dumpster diving
  • Skimming and point-of-sale fraud
  • Malware and spyware
  • Public Wi-Fi interception
  • Account takeover using credential stuffing
  • Theft by someone the victim knows
  • Shoulder surfing and physical observation

1. Phishing, smishing, and vishing

How it works: Phishing is the practice of sending fraudulent communications, most commonly emails, that appear to come from a trusted source. The goal is to trick the recipient into clicking a malicious link, opening an infected attachment, or entering personal information into a fake website that mimics a legitimate one.

Smishing is the same scheme executed through text messages. Vishing uses phone calls. All three rely on the same psychological principle: creating urgency, fear, or familiarity to override a person's instinct to pause and verify.

What information is targeted: Login credentials, Social Security numbers, bank account details, credit card numbers, and answers to security questions.

Why it is so effective: According to FTC data1, email is the single most common contact method reported by fraud victims, cited in more than 371,000 reports in 2024, with a median loss of $600 per victim. Phone calls, while less common, produced the highest median loss of any contact method at $1,500 per victim. Phishing emails have grown increasingly convincing as criminals use AI tools to eliminate the spelling errors and formatting inconsistencies that once served as easy warning signs.

Phishing red flags to recognize:

  • Messages that create urgency ("Your account will be suspended in 24 hours")
  • Requests for personal information through email or text
  • Links that do not match the domain of the organization they claim to represent
  • Generic greetings like "Dear Customer" instead of your name
  • Unexpected attachments, especially compressed files or documents, prompt you to enable macros

2. Data breaches

How it works: A data breach occurs when criminals gain unauthorized access to a company's systems and extract stored customer or employee data. Breaches can happen through hacking, malware, insider theft, or improperly secured databases. The stolen data, which typically includes names, addresses, Social Security numbers, passwords, and financial account information, is often packaged and sold on dark web marketplaces.

What information is targeted: Depends on the organization breached. Healthcare breaches yield medical records and insurance IDs. Financial institution breaches expose account numbers and transaction histories. Retail breaches typically produce credit card data. Large-scale breaches at data aggregators or government-adjacent entities can expose comprehensive personal profiles.

Why it matters to individuals: Data breaches are largely outside any individual's control. The Identity Theft Resource Center found that 2024 had the second-highest number of data compromises in U.S. history, with five "mega breaches" alone generating between 100 million and 560 million victim notices each. When the National Public Data breach occurred in 2024, it exposed an estimated 2.9 billion records, potentially affecting nearly every American adult. A person's information can be circulating on the dark web for years without their knowledge, fueling fraud attempts long after the original breach.

The breach-to-fraud timeline: Stolen data is not always used immediately. Criminals sometimes hold data for months, allowing fraud alert systems tied to the breach to expire before attempting to exploit it. This delayed pattern makes breach-sourced identity theft particularly difficult to trace.

3. Social engineering and impersonation

How it works: Social engineering is the manipulation of individuals into voluntarily disclosing personal information. Rather than hacking a system, the criminal hacks the person. Common tactics include impersonating IRS agents, bank representatives, Medicare officials, utility companies, or tech support staff. The thief creates a believable scenario that compels the target to confirm, provide, or transfer sensitive information.

What information is targeted: Social Security numbers, bank account credentials, one-time passcodes, PINs, and account verification answers.

Common scenarios:

  • A caller claims your Social Security number has been "suspended" and asks you to confirm it for reactivation
  • A text message says your bank has flagged suspicious activity and directs you to call a number or click a link
  • A pop-up on your computer warns of a virus and urges you to call a support number, where the "technician" requests remote access
  • An email notifies you of a package delivery problem and asks you to verify your address and payment information
$789M

Losses tied to government impersonation scams alone exceeded $789 million in 2024, according to the Federal Trade Commission.

4. Dark web purchases of stolen data

How it works: The dark web is a section of the internet accessible only through specialized browsers that anonymize users. It functions as a marketplace where stolen personal data is bought and sold, often within days of a breach. Criminals purchase individual records or bulk datasets, then use that information to commit fraud directly or sell it again to other buyers.

What is sold: Credit card numbers sell for between $10 and $240 per record. Full identity profiles, which combine a Social Security number, name, date of birth, address, and financial account data, command higher prices. Bank account credentials are priced based on the account balance they provide access to, ranging from $30 to $4,000 or more.

Why this method is significant for consumers: A person whose information is sold on the dark web may have no idea it has happened. The original breach that exposed their data may have occurred years earlier, at an organization they no longer use or think about. This is one of the core reasons ongoing dark web monitoring, rather than one-time scans, provides more useful protection. A continuous monitoring service watches for your personal information in known breach databases and alerts you when it surfaces, enabling faster response before fraudulent accounts are opened.

5. Mail theft and dumpster diving

How it works: Physical mail has long been a source of personal information for identity thieves. Pre-approved credit card offers, bank statements, tax documents, Medicare summary notices, and insurance explanations of benefits all contain names, account numbers, addresses, and in some cases Social Security numbers. Criminals steal mail directly from mailboxes or retrieve discarded documents from recycling bins and trash.

What information is targeted: Account numbers, Social Security numbers, tax identification information, insurance IDs, and pre-approved credit offers that can be activated in the victim's name.

Who is most at risk: Older adults and households in multi-unit buildings with shared or unsecured mailboxes face elevated exposure. Seasonal travel, when mail goes uncollected for extended periods, also creates an opportunity for theft.

Protective steps: Enrolling in the USPS Informed Delivery service provides a daily digital preview of incoming mail, which helps identify missing items. Shredding all financial documents before disposal, rather than placing them whole in recycling bins, removes the primary source of information available to dumpster divers.

6. Skimming and point-of-sale fraud

How it works: Skimming is the placement of a small device on a card reader, ATM, gas pump terminal, or other point-of-sale equipment. The device captures card data as it is swiped or inserted. Some skimmers also include tiny cameras to record PIN entries. The captured data is then used to create counterfeit cards or make unauthorized purchases.

What information is targeted: Credit and debit card numbers, expiration dates, CVV codes, and PINs.

Where skimmers are most commonly found: Gas station payment terminals are the most frequently targeted because they are often outdoors, minimally supervised, and less frequently updated with newer chip-reading technology. ATMs in low-traffic or isolated locations are also common targets.

How to spot a skimmer: Look for card readers that feel loose, appear to have an extra layer added on top of the standard terminal, or have a small hole near the keypad that could conceal a camera. Wiggling the card reader before inserting your card takes only a second and can reveal a device that is not firmly attached.

7. Malware and spyware

How it works: Malicious software installed on a victim's device can capture keystrokes, take screenshots, access stored passwords, and transmit sensitive data to the criminals who deployed it. Malware reaches devices through infected email attachments, malicious download links, compromised software updates, or drive-by downloads from websites hosting malicious code.

What information is targeted: Login credentials for banking and email accounts, stored credit card information, Social Security numbers entered into forms, and session cookies that allow criminals to bypass password authentication entirely.

Keyloggers: A specific type of malware called a keylogger records every keystroke made on the infected device. When a user types their bank account password, Social Security number, or credit card number, the keylogger captures and transmits it in real time.

Protective measures: Keeping device operating systems and software updated closes known security vulnerabilities that malware exploits. Using reputable antivirus software provides an additional detection layer. Avoiding clicking links or opening attachments from unknown senders eliminates the most common delivery mechanism.

8. Public Wi-Fi interception

How it works: Public Wi-Fi networks at coffee shops, airports, hotels, and libraries are often unencrypted, meaning that the data transmitted over them can be intercepted by anyone on the same network with the right tools. Criminals can position themselves on a public network and monitor traffic, capturing login sessions, form submissions, and other data in transit.

A related technique is the "evil twin" attack, in which a criminal sets up a Wi-Fi hotspot with a name nearly identical to a legitimate network. Users who unknowingly connect to the fake network route all their traffic through the criminal's device.

What information is targeted: Login credentials for any website accessed while on the network, including banking, email, and social media accounts.

Practical guidance: Avoid accessing financial accounts or entering sensitive information while connected to public Wi-Fi. Using a virtual private network (VPN) encrypts your internet traffic, making interception significantly more difficult even on unsecured networks.

9. Credential stuffing and account takeover

How it works: Credential stuffing is an automated attack in which criminals take usernames and passwords exposed in a data breach and use software to test those combinations against hundreds or thousands of other websites. Because many people reuse the same passwords across multiple accounts, a single breach can unlock access to entirely unrelated services.

What information is targeted: Email addresses and passwords from previous data breaches.

The scale of the problem: Billions of username and password combinations from past breaches are available for purchase on the dark web. Automated tools can test thousands of login combinations per second. When a credential stuffing attack succeeds, the criminal can access bank accounts, email accounts, investment accounts, and any other service that uses the same password, without ever interacting with the victim directly.

The single most effective defense: Using a unique, randomly generated password for every account eliminates credential stuffing as a viable attack. A password manager makes this practical by storing and autofilling credentials without requiring the user to memorize them.

10. Theft by someone the victim knows

How it works: A significant portion of identity theft is committed not by strangers but by people with legitimate access to the victim's personal information. Family members, caregivers, roommates, coworkers, and acquaintances may use their proximity to access financial documents, memorize account numbers, or steal physical cards. One widely cited study found that 51 percent of new account fraud victims knew the person who committed the fraud.

Who is most at risk: Children, whose Social Security numbers may be used by a parent or relative without detection for years. Elderly individuals with caregivers who have access to financial accounts. Anyone whose financial documents are accessible to others in the household.

Why it is particularly difficult to address: Victims are often reluctant to report theft by family members, and the patterns can be hard to distinguish from authorized access. Regular review of credit reports and financial statements, even in trusted households, remains the most reliable way to detect this type of fraud early.

11. Shoulder surfing and physical observation

How it works: Shoulder surfing is exactly what it sounds like: a criminal observes a victim's screen, keypad, or documents from nearby to capture personal information. This can happen at ATMs, checkout counters, in coffee shops where someone is working on a laptop, or in any setting where sensitive information is visible to bystanders.

What information is targeted: PINs, passwords, account numbers, and any information visible on a screen or written document.

Simple countermeasures: Positioning yourself to block the view of your keypad when entering a PIN, using a privacy screen on laptops in public spaces, and being aware of who is nearby when entering sensitive information all reduce exposure from this method significantly.

Why most victims do not know how identity theft happened

21%

The Bureau of Justice Statistics found that only 21% of identity theft victims could identify how their personal information was stolen.

That statistic reflects an important reality: Many of the most prevalent methods, including data breaches and dark web purchases of previously stolen data, occur entirely outside the victim's awareness or control. There is no suspicious email clicked, no skimmer encountered, no stranger met. The information was exposed elsewhere, packaged, sold, and used months or years later.

This is why reactive detection alone is insufficient. Waiting to notice a suspicious charge or a collection notice for an account you did not open means the fraud has already progressed. Proactive monitoring, which continuously watches for unauthorized use of your information across credit files, public records, and dark web databases, closes the gap between when theft occurs and when you can act on it.

How to reduce your exposure to identity theft

No single measure eliminates all risk, but the following steps materially reduce vulnerability across the methods described above.

  1. Use unique passwords for every account. This neutralizes credential stuffing attacks completely.
  2. Enable multi-factor authentication on banking, email, and any account that supports it.
  3. Be skeptical of unsolicited contact. Legitimate institutions do not ask for passwords, full Social Security numbers, or one-time codes over the phone or by email.
  4. Freeze your credit if you are not actively applying for new accounts. A credit freeze costs nothing and blocks new accounts from being opened in your name.
  5. Shred physical documents before discarding them, including pre-approved credit card offers, bank statements, and insurance documents.
  6. Monitor your credit reports at AnnualCreditReport.com at least annually, or enroll in a service that monitors them continuously.
  7. Enroll in dark web monitoring so you are alerted if your information surfaces in known breach databases, rather than waiting to discover fraud after the fact.
  8. Avoid public Wi-Fi for financial transactions, or use a VPN to encrypt your connection.
  9. Check card readers before inserting your card at ATMs and gas pumps, particularly at unstaffed outdoor terminals.
  10. Review medical and insurance statements for services you did not receive, which is the primary early indicator of medical identity theft.

Real-time monitoring services that cover credit activity, public records, data breach notifications, and dark web databases are built specifically to detect the earliest indicators of identity theft, regardless of how the underlying theft occurred.

Frequently asked questions

Q: How does identity theft happen?

A: Identity theft happens when a criminal obtains another person's personal information and uses it to commit fraud. The most common methods include phishing emails and texts, large-scale data breaches at companies, social engineering over the phone, skimming devices on payment terminals, malware on devices, and the purchase of stolen data on the dark web.

Q: What is the most common way identity theft happens?

A: Data breaches and phishing are the two most prevalent entry points. Email was the most frequently reported contact method for fraud in 2024, cited in more than 371,000 FTC reports. Data breaches, which expose personal information without any direct interaction with the victim, are the largest structural driver of identity theft at scale.

Q: Can identity theft happen without clicking anything?

A: Yes. A significant portion of identity theft originates from data breaches at organizations that hold personal information. The victim takes no action and clicks nothing; their information is stolen from a company's systems and later sold or used to commit fraud. This is why monitoring matters even for people who follow best practices in their own digital behavior.

Q: How do thieves get your Social Security number?

A: Social Security numbers are most commonly obtained through data breaches, phishing, mail theft, social engineering calls that impersonate government agencies, and dark web purchases of previously stolen data. Children's Social Security numbers are particularly targeted because they are unused and therefore have no credit activity to generate alerts.

Q: How long after a data breach does identity theft occur?

A: Identity theft following a data breach can occur immediately or be delayed by months or years. Criminals sometimes hold stolen data before using it, allowing initial fraud alerts tied to the breach to expire. This delayed pattern is one reason ongoing monitoring is more effective than checking your credit once after a known breach.

Q: What is credential stuffing?

A: Credential stuffing is an automated attack in which criminals use username and password combinations stolen in one data breach to gain unauthorized access to accounts on other platforms. It exploits the common behavior of reusing passwords across multiple sites. Using a unique password for every account prevents credential stuffing from working.

Q: How can I tell if my information was stolen through phishing?

A: Common signs include unauthorized login attempts or account lockouts, charges you did not make, new accounts appearing on your credit report, and receiving unexpected password reset emails. However, phishing victims sometimes have no immediate indicators until the stolen information is used weeks or months later, which is why ongoing monitoring provides earlier detection than most people would otherwise receive.

Q: How does identity theft happen on social media?

A: Social media provides identity thieves with personal details that can be used to answer security questions, construct convincing phishing messages, and build profiles. Oversharing birthdates, addresses, employer information, and location data gives criminals the raw material to impersonate you or guess your security answers.

Key takeaways: How identity theft happens
  • Identity theft happens through many distinct methods, including phishing, data breaches, social engineering, skimming, malware, mail theft, and dark web purchases of stolen data.
  • The majority of victims, around 79%, do not know how their information was stolen, often because data breaches occur entirely outside their awareness or control.
  • Email is the most commonly reported contact method for fraud, cited in over 371,000 FTC reports in 2024. Phone-based scams produce the highest median loss per victim at $1,500.
  • Proactive monitoring catches theft faster and limits damage more effectively than waiting for fraud to become visible through missed bills or credit score drops.
  • Using unique passwords, enabling multi-factor authentication, freezing credit, and enrolling in ongoing dark web and credit monitoring address the most prevalent methods simultaneously.

This guide is published by OmniWatch. Follow OmniWatch on LinkedIn for ongoing guidance on identity protection, digital safety, and scam awareness.

1 FTC Consumer Sentinel Network Data Book 2024

2 FTC Press Release: Fraud Losses Reach $12.5 Billion in 2024

3 Identity Theft Resource Center 2024 Annual Data Breach Report

4 Bureau of Justice Statistics: Victims of Identity Theft

5 Javelin Strategy and Research / AARP: Identity Fraud Report 2024

6 TransUnion 2024 Synthetic Identity Fraud Data