skip to main content

How Identity Thieves Work: Protect Your Information

By James Thorne

  • PUBLISHED April 15
  • |

You may not always see it, but the information and data that makes up your online identity is spread across the internet. Identity thieves know this and seek out the traces that we leave wherever we go, both in the real world and online. And they use these traces to steal your identity.
But you can limit your risk by knowing how attackers think and what they’re after. Here’s a peak into what they are after and how they operate.
Know What Identity Thieves Want
Identity thieves target your personal information. But at the end of the day—just like most other thieves—most of them want money.
These ID pickpockets have evolved to take advantage of the wealth of personal information that most people have stored on the internet. In most cases, when they are looking to get your information, they either directly target you or focus on getting your information from a company with whom you do business. They may also impersonate a person or organization who you trust and try to trick you into turning over information.
Some of the information that these thieves target is so common that we don’t always think to protect it. But by getting some information, they can then use that to bust through security measures that guard your more secure accounts.
Here are some of the things identity thieves are after:

  • Social Security numbers are the granddaddy of all personal details, with good reason. They can be used for things like opening lines of credit or claiming your tax refund.
  • Contact information, including email addresses and phone numbers, is often used to confirm your identity by third parties.
  • State identification numbers such as your driver’s license, passport and birth certificate contain valuable information.
  • Online information such as usernames, passwords and PINs can leave you vulnerable if not kept safe.
  • Verification data, such as your date of birth or mother’s maiden name, are commonly used to check your identity.
  • Financial information, such as your bank accounts, credit cards and investment accounts are common targets.
  • Medical records also contain details that can be used for fraud, including medical ID theft.


Phishing for Data
Phishing scams are designed to use your trust in an organization to obtain information fraudsters need. These scams often come in the form of a request for information in an email that appears to be from an organization you know. Fraudsters may also create copycat websites for those organizations to better trick people into entering their information.
Follow these simple rules to avoid falling victim to a phishing scam.

1.    Never give out any personal information over email.
2.    Check URLs and email addresses for indications that the source might be fraudulent.
3.    Don’t click on anything that feels even slightly suspicious.


Phishing scams often go to great lengths to fool you. They may know personal details about you that they learned from social media or use the logos of organizations that you trust. Skepticism is your best defense against these threats.
For more about phishing, see “How to Avoid Phishing.
Make a Better Password
Generally speaking, you want to use passwords that are long, complex and unique. The best passwords often have the following characteristics: 

  • 7 to 20 characters long
  • Upper and lower case letters
  • Non-consecutive numbers
  • Special characters


To help you remember all your complicated passwords, the Federal Trade Commission recommends that consumers consider using a password manager. These tools store your valuable information in encrypted digital vaults, which only you can access.
The same caution you take with passwords should be applied to security questions, which can be used to access your account in the event of a lost password. Avoid things like your date of birth, ZIP code or mother’s maiden name, since these can often be discovered through public records or social media. Try to give answers only you would know or a random response that you can remember.
Use Multi-factor Authentication
Many organizations now use what’s called multi-factor authentication to add an extra layer of security in addition to your password. This typically involves entering a temporary code that is sent to your phone number or email address.
The U.S. Department of Commerce recommends using multi-factor authentication “whenever possible,” especially for websites that contain valuable personal, financial or medical data.
Spot and Report Identity Theft
Remain vigilant for these signs that an identity thief might be targeting you.

  • You receive an IRS notification that your social security number has been used in a tax return.
  • You receive a medical bill or insurance claim that you don’t recognize. An identity thief may be using your information to receive treatment or submit fraudulent insurance claims.
  • There’s a change in your credit report, such as an alert that a new line of credit was opened.
    •    You spot credit card charges that you don’t recognize.
  • You receive a debt collection notice for something you didn’t purchase.


In the event your identity is stolen, report the activity immediately to the FTC, local law enforcement and your bank, along with other financial institution you use. You may also want to consider freezing your credit report with the three major credit bureaus to ensure no new lines of credit can be opened. Then follow the advice of government agencies and your financial institutions to better secure your identity against future attacks.
James Thorne is a freelance journalist who has written for CNBC and Reuters, among other publications.

Illustration by Justin Poulsen.

Read our companion piece, How Identity Thieves Work: Protect Your Money. 

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now