Published in: Research | Nov. 7, 2019

Identity Theft and Credit Card Fraud Statistics for 2019

By:  Lyle Daly

Considering the kind of damage that identity theft and credit card fraud can do to your life, many consumers want to know just how prevalent these crimes are. Is identity theft becoming more common as criminals get more sophisticated, or are better security measures making it more difficult? Which demographics are at the biggest risk of financial fraud? And how much of an impact do data breaches have?

To find out, we’ve reviewed the data to understand the trends on identity theft, credit card fraud and data breaches.

Before we begin, let’s clarify the difference between fraud and identity theft. Fraud is any sort of criminal deception intended for personal or financial gain. Identity theft involves using someone else’s personal information for fraudulent purposes. Therefore, identity theft is one of many different types of fraud.

Summary of key findings

  • There were 444,602 cases of identity theft in 2018.
  • Those aged 30 to 39 reported the most cases of identity theft last year.
  • Georgia, Nevada and California were the top three states for identity theft by population.
  • With nearly 160,000 reports, credit card fraud was the biggest type of identity theft last year and has almost tripled between 2014 and 2018.
  • Almost 450 million records containing personal data were exposed through data breaches in 2018.
  • Hacking is decreasing, but was still responsible for 39% of data breaches in 2018.

Identity theft in the United States

Of the nearly three million fraud cases reported to the Federal Trade Commission (FTC) in 2018, identity theft accounted for 14.85% of cases and was the third-most-common type of fraud.

Total number of identity theft reports in the United States by year, 2014 to 2018

The total number of identity theft reports peaked in 2015, and declined for the following two years. However, they were back up by 19.8% in 2018, making it the year with the second-most identity theft reports on record.

Why did identity theft bounce back in 2018? Part of the increase can likely be attributed to the Equifax data breach, which lasted from May to July of 2017 and exposed the sensitive personal information of approximately 147 million U.S. consumers, making it one of the largest data breaches in history.

Data breaches play an important part in both identity theft and credit card fraud. We will come back to this later, but first let's look at how identity theft impacts different parts of society.

Identity theft reports by age, 2018

While identity theft can happen to anyone, those in the 30 to 39 age range reported it the most, as their 107,367 cases made up 26.1% of all identity theft reports in 2018. It’s certainly not isolated to that group, though, since every group aged between 20 and 59 had reported over 60,000 incidents of their own.

In addition to being the age range with the most identity theft, the 30 to 39 range also had the largest increase in identity theft reports from 2017 to 2018. This was visible both in terms of the number of reports, up 26,900 from 80,467, and the increase percentage of 33.4%.

There was only one age range that had fewer identity theft reports in 2018 than they did in 2017, and that was the 60 to 69 group. They reported 45,787 reports in 2017, and 42,704 in 2018, a 6.7% drop.

The most common types of identity theft

So, what types of identity theft are most common, and how does it break down? Credit card fraud is by far the most common type of identity theft, representing 29.1% of the total cases.

Although credit card fraud is more prevalent among certain age ranges than others, it’s the most common identity theft in almost every age group, with one notable exception.

The 19 and under group had 1,565 cases of credit card fraud, comprising 9.9% of their total identity theft reports. Employment or tax-related fraud was most prevalent among this group, with 7,860 cases making up 49.7% of their identity theft reports. To put that number into perspective, among the other age groups, employment or tax-related fraud only accounted for 11.7% of their identity theft reports.

Given that it’s more difficult for young adults to get credit cards due to their lack of credit history, it’s understandable that this age group suffered from much less credit card fraud.

Identity theft by state

If we break down the reports by state, we can see that certain states have a higher prevalence of identity theft than others.

When it comes to the states with the most identity theft reports, the top-five in 2018 were:

  1. California: 73,668
  2. Texas: 45,030
  3. Florida: 37,797
  4. New York: 24,248
  5. Georgia: 23,871

However, population size obviously plays a large role, because numbers one through four on that list also coincide with the states that have the most citizens. The list does change if you adjust for population, and that gives you a more accurate idea of how prevalent identity theft was in each state.

States ranked by identity theft reports per 100K population, 2018

Georgia takes the top spot here by a wide margin due to having almost twice as many identity theft reports as the previous year. In 2017, Georgia had 120 reports per 100,000 citizens, ranking No. 9. This year, it shot up 90.8%.

Vermont was the state with the fewest identity theft reports, both in terms of reports per 100,000 citizens and total reports.

The main takeaway here is that your risk of identity theft depends quite a bit on where you live. The odds of being a victim of identity theft can double or triple for those in high-risk states compared to those in low-risk states.

And although Georgia does consistently rank among the worst states for identity theft, the state with the most identity theft reports per capita often changes from year to year. It was Michigan in 2017 and 2016, Missouri in 2015, and Florida in 2014.

If you want to delve even deeper into specific locations, you can also look at which metropolitan areas are identity theft hotspots.

Top metropolitan areas for identity theft

Credit card fraud

We saw in the initial statistics that credit card fraud is the form of identity theft that occurs the most. That starts to make sense if you consider that credit cards are so widely used that criminals have many opportunities to get hold of your card information. Once that happens, the card information gives them an easy way to steal your money.

Credit card fraud reports from 2014 to 2018

Credit card fraud has been steadily increasing for the last five years, even as total fraud and identity theft reports have decreased.

After rampant increases in credit card fraud in 2015 (when it increased 34.8%) and 2016 (66.6%), it appeared to have stabilized somewhat in 2017, as it only went up by 6.7%. 2018 brought another substantial jump, though, with credit card fraud reports increasing by another 18.4%.

While credit card fraud has slowed down since its 2015 and 2016 highs, the number of reports have still nearly tripled since 2014.

The number of consumers affected by credit card fraud

The number of credit card fraud reports gives us an idea of how common this crime is, but it doesn’t show us how many consumers have been victims of it.

According to The Ascent’s study on American credit card habits, 35% of consumers have been victims of credit card fraud, and it’s more likely the older you get. Here’s how the percentages break down by generation:

The most prevalent types of credit card fraud

Although credit card fraud is on the rise, the types of credit card fraud are changing. The United States was slower than the rest of the word to adopt EMV chip technology in its credit and debit cards, but it has been catching up. As of Oct. 1, 2015, liability for in-store counterfeit card fraud shifted to the party that hadn’t adopted EMV chip technology (merchants that don’t have chip readers and banks that don’t issue chip cards).

Visa estimates that 67% of U.S. stores are now EMV compliant, meaning they have credit card processors that can read EMV chips. EMVCo reports that 53.52% of U.S. card-present transactions were EMV chip transactions in 2018, up from 41.21% in 2017.

During chip transactions, it’s nearly impossible to counterfeit the credit card. This means that the amount of card-present fraud -- when a criminal uses a counterfeit card to make a purchase -- is declining because criminals have fewer opportunities to create those fake cards. Among merchants who have upgraded to EMV chip systems, counterfeit fraud dropped by 76% from September 2015 to December 2018.

As the table below shows, the shift to EMV chip cards did lead to an uptick in card-not-present (CNP) fraud. CNP fraud is any transaction where the purchaser didn’t need to physically present the credit card they used. Online transactions are one of the most common examples.

Here’s how the percentage of U.S. consumers affected by card-present and CNP fraud has changed over the last five years:

The good news is that both these types of credit card fraud decreased from 2017 to 2018, and card-present fraud should continue to drop as more merchants switch to EMV chip readers.

You may be wondering how fraudulent credit card transactions can decrease and in the same year credit card fraud reports can increase. The reason is that quite a bit of credit card fraud is new account fraud, which is when a thief opens a new credit card account using another person’s information.

Here’s how the number of new and existing account fraud reports changed from 2017 to 2018:

While it’s important to guard your credit card information, it’s equally important to monitor your credit history and watch for new accounts that were opened without your knowledge, as criminals are doing that more and more. Two effective options to protect yourself are credit fraud alerts, which require lenders to take additional verification steps before opening an account in your name, and a credit freeze, which prevents anyone from accessing your credit reports.

Credit card fraud losses

The amount of money lost due to fraud using existing credit or debit cards decreased substantially last year, from $8.1 billion in 2017 to $6.4 billion in 2018. And we should note here that consumers aren’t footing the bill for most of those losses due to financial regulations governing unauthorized transactions.

With unauthorized credit card transactions, you’re not liable for anything if the thief stole your card number but not the card itself. If the thief had your card and used it for the purchase, the most you’re liable for is $50 in fraudulent charges. Many card issuers will waive that as well, which is why credit cards are the most secure way to pay for purchases.

The bottom line is that the banks end up taking on most of those losses from card fraud.

Data breaches

At the beginning of this article, we saw that there could be a connection between the huge Equifax data breach and the subsequent spike in identity thefts. And when we looked at credit card fraud, we saw that fraudulent credit card accounts and criminals using card data without the physical card were behind the increase in credit card fraud.

This begs the question -- where are they getting people’s information? Often, the answer is through data breaches.

Data breaches and records exposed in 2018

In 2018, there were 1,244 data breaches and almost 450-million exposed records (446,515,334) containing personally identifiable information (PII). PII is any information that could identify an individual, and it can be divided into sensitive PII which could harm the individual and non-sensitive PII which could be gained from public sources.

Data breaches are measured by the number of breaches and the total number of records exposed. So in 2018, despite there being 23% fewer data breaches than there were in 2017, the number of exposed consumer records containing PII went up by 126%.

In addition, those breaches also exposed over 1.68 billion non-sensitive records, such as email addresses and usernames. While most consumers don’t worry as much about this, every piece of information a criminal has on a person can potentially help them access accounts and obtain more sensitive data.

Data breaches by industry, 2017 and 2018

Not every industry had a bad year. The banking industry, while having almost the exact-same number of breaches, had 47.1% fewer records exposed. The education industry had significantly fewer breaches, although this only led to a 0.7% decrease in the number of records exposed.

2018 data breaches by type

While hacking remains the most common cause of data breaches, in terms of the number of records exposed, it had much less impact than last year. In 2017, hacking accounted for 59.5% of breaches and over 168 million exposed records containing PII, representing 85.0% of the total. In 2018, hacking accounted for just 3.7% of all exposed records containing PII.

It was the opposite with unauthorized access, which was responsible for 11.4% of breaches and a mere 0.3% of records exposed in 2017. In 2018, it accounted for 90.5% of all records exposed.

The largest data breaches of 2018

The Starwood Hotels and Resorts breach was by far the biggest breach of 2018 in terms of the amount of sensitive information exposed.

Wrap-up

Overall, 2018 had its good and its bad points from a security perspective. Identity theft and credit card fraud were both up, but losses from card fraud were down, and EMV chip technology is proving to make everyday transactions safer.

Data breaches were also a mixed bag. There were fewer breaches overall and hacking was less common, but the breaches that did occur exposed significantly more information.

Methodology

Identity theft report totals vary by category based on the information provided by the FTC. The breakdown of identity theft by age doesn’t include all identity theft reports, as some reports don’t have the victim’s age. The total number of reports in the section on types of identity theft is greater than the total number of identity theft reports overall because some reports include more than one type of identity theft.

Other Research