Published in: Research | April 13, 2020
By: Lyle Daly
Considering the kind of damage that identity theft and credit card fraud can do to your life, many consumers want to know just how prevalent these crimes are.
Is identity theft becoming more common as criminals get more sophisticated, or are better security measures making it more difficult? Which demographics are at the biggest risk of financial fraud? And how much of an impact do data breaches have?
To find out, we've reviewed the data to understand the trends on identity theft, credit card fraud, and data breaches.
Before we begin, let's clarify the difference between fraud and identity theft. Fraud is any sort of criminal deception intended for personal or financial gain. Identity theft involves using someone else's personal information for fraudulent purposes. Therefore, identity theft is one of many different types of fraud.
Of the more than 3.2-million fraud cases reported to the Federal Trade Commission (FTC) in 2019, identity theft accounted for 20.33% of cases and was the most-common type of fraud.
2019 was the worst year in history for identity theft reports by a wide margin. It had more than 160,000 more identity theft reports than 2015, which previously had been the year to hold this dubious record.
This marks the second year in a row that identity theft reports have increased significantly. From 2017 to 2018, the number of reports increased by 19.8%. From 2018 to 2019, there was a staggering 46.4% increase.
Why is identity theft rising so rapidly? Data breaches play a major role. The Equifax data breach that lasted from May to July 2017 exposed the sensitive personal information of approximately 147 million U.S. consumers, making it one of the largest data breaches in history. And the 2019 Capital One data breach affected approximately 100 million U.S. consumers.
These kinds of data breaches contribute to both identity theft and credit card fraud. We'll come back to this later, but first let's look at how identity theft impacts different parts of society.
While identity theft can happen to anyone, those in the 30 to 39 age range reported it the most. Their 170,255 cases made up 30.2% of all identity theft reports in 2019, and their number of reports shot up by 58.6% from 2018 to 2019. However, it's certainly not isolated to that group. The three groups from ages 20 to 49 all recorded more than 110,000 cases and increases of over 44% within a year.
This data indicates that identity theft is becoming more concentrated among consumers between the ages of 20 and 49 and, to a lesser extent, those from 50 to 59. The question is why. Experian has reported that "When it comes to scams, children and seniors are at the biggest risk," but it appears the opposite is true.
A potential explanation is that consumers in those high-risk age ranges have more credit cards and purchase more. The study "Who Are the Victims of Identity Theft? The Effect of Demographics" points out that more accounts and transactions increase the risk of identity theft. Older consumers and teenagers have fewer credit cards and make fewer purchases, two factors that lower their risk.
It's also important to mention that fraud reports tell a different story. Those peak, both in terms of the number of reports and the amount of money lost, with the 60 to 69 age group.
So what types of identity theft are most common, and how does it break down? Credit card fraud is by far the most common type of identity theft, occurring in 41.8% of all identity theft reports.
You may have noticed that when broken down by type, the total number of identity theft reports is much higher than the total given earlier. While there are 803,078 identity theft reports if you add up the totals here, the FTC also says there were a total of 650,572 reports this year.
The reason is that the FTC allows consumers to include multiple types of identity theft in one report. Let's say an identity thief uses your information for credit card fraud and bank fraud. You could send in one report about both. The FTC would classify it as one identity theft report, but it would also add one report each to the credit card fraud and bank fraud totals.
Although credit card fraud is more prevalent among certain age ranges than others, it's the most common identity theft in almost every age group, with one notable exception.
The 19 and under group had 1,680 cases of credit card fraud, occurring in 11.8% of their total identity theft reports. Employment or tax-related fraud was most prevalent among this group, with 7,072 cases making up 49.7% of their identity theft reports. To put that number into perspective, among the other age groups, employment or tax-related fraud occurred in only 7.0% of their identity theft reports.
Given that it's more difficult for young adults to get credit cards due to their lack of credit history, it's understandable that this age group suffered from much less credit card fraud.
If we break down the reports by state, we can see that certain states have a higher prevalence of identity theft than others.
Here are the states with the most identity theft reports in 2019:
However, population size obviously plays a large role, because numbers one through three on that list also coincide with the states that have the most citizens. The list does change if you adjust for population, and that gives you a more accurate idea of how prevalent identity theft was in each state.
With identity theft increasing so much, it's no surprise that 41 of 50 states saw their number of reports go up. Georgia was the state with the most reports by population size for the second year in a row, seeing a significant rise in its number of reports. From 2017 to 2018, its number of reports went up by 90.8%. From 2018 to 2019, it went up 86.5%.
That's quite a big difference, but Georgia wasn't the state with the largest increase in reports. Arkansas had its number of reports go up by 105.5% as it rose from 37th in 2018 to 18th in 2019. Louisiana wasn't far behind, with a 104.5% increase, taking it from 16th in 2018 to sixth in 2019.
South Dakota was one of the few states that saw its number of reports decrease, and that also made it the state with the lowest rate of identity theft reports. It ranked 47th in 2018. Other notable improvements were Michigan, which went from eighth to 21st, and New Hampshire, which went from 14th to 30th.
The main takeaway here is that your risk of identity theft depends quite a bit on where you live. In 2019, a Georgia resident was more than nine times as likely to be a victim of identity theft as a South Dakota resident. That's the most extreme example, but the point is that the odds of being a victim of identity theft are much greater for those in high-risk states compared to those in low-risk states.
If you want to delve even deeper into specific locations, you can also look at which metropolitan areas are identity theft hotspots.
We saw in the initial statistics that credit card fraud is the form of identity theft that occurs the most. That starts to make sense if you consider that credit cards are so widely used that criminals have many opportunities to get hold of your card information. Once that happens, the card information gives them an easy way to steal your money.
Credit card fraud has been steadily increasing over the years, but it exploded in 2019, with the number of reports increasing by 72.4% from 2018.
Although that's bad news, it's not necessarily a sign of things to come. Credit card fraud reports were also on their way up in 2015 (by 34.8%) and 2016 (66.2%). 2017 broke that trend, as reports increased by only 6.9%.
The number of credit card fraud reports gives us an idea of how common this crime is, but it doesn't show us how many consumers have been victims of it.
According to The Ascent's study on American credit card habits, 35% of consumers have been victims of credit card fraud, and it's more likely the older you get. Here's how the percentages break down by generation:
Although credit card fraud is on the rise, this isn't the case with each type of credit card fraud. In recent years, we've seen new account fraud become far more common than existing account fraud, and the disparity grew most in 2019.
New account fraud also rose by 24% in 2018, while existing account fraud declined by 6%.
To clarify the difference, new account fraud is when an identity thief uses your personal information to open a credit card in your name. Existing account fraud is when an identity thief uses a credit card that you opened.
Perhaps the primary reason for this shift is the difficulty involved in each type of fraud. Hundreds of millions of consumers have had their information exposed in data breaches. That gives identity thieves ample opportunity to open accounts in other people's names.
On the other hand, existing account fraud isn't getting any easier. The United States has adopted EMV chip technology, which has made the transaction process more secure and made it harder for criminals to counterfeit credit cards. Due in large part to this change, card-present fraud (a fraudulent transaction wher the purchaser used a counterfeit credit card) has declined considerably. This type of fraud affected 2.4% of U.S. consumers in 2016 and only 1.4% in 2018.
While it's important to guard your credit card information, it's equally important to monitor your credit history and watch for new accounts that were opened without your knowledge, as criminals are doing that more and more. Two effective options to protect yourself are credit fraud alerts, which require lenders to take additional verification steps before opening an account in your name, and a credit freeze, which prevents anyone from accessing your credit reports.
Identity thieves are always developing new ways to steal money, and the latest evolution is synthetic account fraud.
Synthetic account fraud involves a combination of real and fabricated information, such as a real Social Security number and a false name. After creating a synthetic account, the identity thief has two options:
The second method requires more work but also offers a much greater potential score. It also tends to be the option that identity thieves prefer, as synthetic accounts usually develop over a period of six months to five years.
This type of fraud accounts for 80% of credit card fraud losses, and McKinsey has estimated that it's the fastest-growing type of financial crime in the United States. It also costs lenders over $6 billion per year.
At the beginning of this article, we saw that there could be a connection between the Equifax and Capital One data breaches and the subsequent spikes in identity thefts. And when we looked at credit card fraud, we saw that fraudulent credit card accounts, and in particular synthetic accounts, were most responsible for the increase in credit card fraud.
This begs the question -- where are they getting people's information? Often, the answer is through data breaches.
In 2019, there were 1,473 data breaches and nearly 165 million exposed records containing personally identifiable information (PII). PII is any information that could identify an individual, and it can be divided into sensitive PII which could harm the individual and non-sensitive PII which could be gained from public sources.
Data breaches are measured by the number of breaches and the total number of records exposed. So while the number of breaches increased by 17.2% in 2019, the number of exposed consumer records containing PII dropped by 65.1%.
Those breaches also exposed more than 705 million non-sensitive records, such as email addresses and usernames. While most consumers don't worry as much about this, every piece of information a criminal has on a person can potentially help them access accounts and obtain more sensitive data.
The number of exposed records in the banking/credit/financial industry skyrocketed. Although it had fewer breaches, the records exposed in its breaches increased by almost 99 million. It accounted for 61.1% of the exposed records in 2019.
That change is due to one breach -- the Capital One cyber incident. According to Capital One, that data breach affected approximately 100 million consumers in the United States. Overall, Capital One was responsible for exposing 99% of the records with PII in its industry.
The business industry had the opposite of what happened in the banking/credit/financial sector. Its number of breaches went up, but its exposed records went down. Previously, business was the industry that accounted for the majority of the records exposed, as it accounted for 91.9% of all exposed records in 2017 and 93.2% in 2018. In 2019, that dropped to 11.4%.
Hacking is the most common cause of data breaches, just as it was in 2017 and 2018. However, this may soon change, as the gap between breaches caused by hacking and unauthorized access has narrowed quite a bit.
In 2017, hacking caused 59.5% of breaches, compared to unauthorized access causing 11.4%. In 2018, hacking caused 39.4% of breaches and unauthorized access caused 30.3%. Hacking fell slightly to 39.2% in 2019, and unauthorized access rose again to 36.5%.
One area where unauthorized access has already surpassed hacking is in the number of sensitive records exposed. It accounted for 86.4% of the exposed records containing PII in 2019 and 90.5% in 2018.
The COVID-19 pandemic is the biggest news in 2020. And fraudsters are taking advantage of that fact. The FTC's COVID-19 and Stimulus Reports page shows 143,992 fraud reports related to COVID-19 and the federal stimulus as of July 27, 2020. Those reports have resulted in a cumulative loss of over $93 million.
These fraud reports showed two peaks: one in mid-April and a series in mid-May.
Among those 144,000 fraud reports,
Although the number of reports has shown a steady decline since mid-May, it's quite possible that we'll see the number go up again, especially if a second stimulus package is passed.
Unfortunately, 2019 was a poor year from a security perspective. Identity theft and credit card fraud reports increased substantially on their way to record highs. That was due in part to a large rise in new account fraud, a type of fraud that can do serious damage to a consumer's credit file.
On a positive note, there was much less sensitive information exposed in data breaches. However, there was still a major Capital One data breach that could lead to more fraudulent accounts for years to come.
We’re firm believers in the Golden Rule, which is why editorial opinions are ours alone and have not been previously reviewed, approved, or endorsed by included advertisers. The Ascent does not cover all offers on the market. Editorial content from The Ascent is separate from The Motley Fool editorial content and is created by a different analyst team. The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned.
The Ascent is a Motley Fool service that rates and reviews essential products for your everyday money matters.
Copyright © 2018 - 2021 The Ascent. All rights reserved.