Learn How Identity Theft Happens

Watch Out for These Low-Tech Methods

Pick pocket taking wallet
••• Getty Images/Peter Dazeley

When we consider how identity theft happens, the various scams and other common methods of identity theft tend to fall into one of two categories. Low-tech methods such as dumpster diving and telephone scams are easier to fight against because they take advantage of a victim's personal habits. However when considering high-tech methods of identity theft, there's not much that you can do, because your personal information is stolen from somebody that you gave it to for a business purpose (like buying a house or getting an insurance quote.)​

Stolen Wallet, Purse or Other Personal Theft

The earliest cases of identity theft were probably related to personal information obtained by a pickpocket or burglar. The classic novel, A Tale of Two Cities, is resolved through an assumed identity, and the concept probably goes further back than that. There have been movies depicting identity thieves, like Sommersby, and Catch Me If You Can, that cast a kinder light on the criminal – but the crime is still identity theft.

A large number of cases involving children's identity theft are due to a parent's misuse of their own child's identity, but there are still plenty of cases were a friend of the family or even another family member was the culprit. The best thing to do is lock personal information in a safe, although bank deposit boxes are still a great idea if you can afford one. The worst place to keep birth certificates, Social Security cards, insurance documents etc. is in the top right-hand desk drawer.

Dumpster Diving

"Dumpster diving" has been around for quite awhile, too, but up until recently, it was confined to detectives, private investigators, and occasionally industrial espionage (like trying to find out who your competitor's clients are). Most Americans don't realize that once you throw something in your trash and put it out to the curb for pickup, you don't have any "expectation to privacy", even though there are sound legal arguments otherwise.

There is a fairly simple fix for this, though. Keep a paper shredder or "burn bag" next to your desk, and use it on mail that has your personal information, like bank statements, credit card statements, utility bills, or letters from bill collectors.

Mail, Phone and E-Mail Scams

Mail/phone/e-mail scams are all still categorized as "low-tech" because they rely on the Law of Averages to collect information. The Law of Averages basically says "If you do something often enough, a ratio will appear." This is where we get things like batting averages, poker odds, and door-to-door sales. Email scams are probably the most well-known because the scam artist can send out thousands at one time. But these are really just phishing techniques to drag you into conversations by telephone, so the telephone scam is the real danger.

  • These scams go by many names, but "phishing" is the most commonly used. There are hundreds of scams in this category, but they all can be avoided by using a few simple, common-sense rules:
  • Reputable financial organizations will not contact you by e-mail to discuss financial matters. Period. You may get prospecting letters in the e-mail asking you to use a certain investment firm or apply for a loan at a certain bank, but legitimate business is still done by phone, fax or in person.
  • Do not give out personal information over the phone. If you originated the call, or you are certain you know the person on the other end, you can feel fairly safe. If you're not certain, ask for a number you can call back. Then call the business the caller said they represent. Ask if the person works there. If so, again, you can be fairly confident that your information is going where it should. If not, you have a phone number to help law enforcement track down the criminal.
  • Don't let someone repeat your credit card number over the phone. You never know who may be standing behind the pizza girl taking your order on Friday night. If she wants to make sure she's got the right credit card number, just let her know you'll read the number twice for verification.
  • Don't send mail in your mailbox. Drop it off at the post office. Identity thieves love to collect bill payments or credit card payments. Not only do they get your credit card number, but if you're paying by check, they get your account number as well.

    These low-tech methods may or may not be part of a "Piracy Ring". These are organized networks of individuals who "recruit" an identity thief who has access to information. For example, someone might approach the waitress at a restaurant and offer her $5.00 for every credit card number she can steal. That can be done while reading your card at the check-out, and most people don't even notice when it happens. And if you asked the waitress, it probably wouldn't even occur to her that she was committing identity theft.


    Data Breach – The "high-tech" category represents the more sophisticated identity thief. Their methods are often more covert, which makes them hard to detect or respond to. This is also the area that a consumer has the least control over their personal information. Most identity theft laws address this area. Laws such as FACTA and HIPAA focus on three key areas of record keeping; how records are stored, how they are accessed, and how they are disposed of.

    These laws require training of the people that handle your personal information, but if you go into the local retailer down the street and talk to the guy behind the counter he will have no idea what are talking about. This is because most businesses are so busy handling their day-to-day operations that they don't even know about these laws, much less what they need to do to comply with them. (From my personal experience, A local restaurant frequented by state legislators was handing out receipts with the full credit card number readable.

    Once it was pointed out they fixed it immediately, but FACTA has been in effect since 2003. What conclusion would most people draw from that?)

    These laws also require written policies about how the company handles personal information, including how they get rid of it. FACTA requires that it is shredded, burnt, or otherwise destroyed so that the information can no longer be read. Document destruction companies usually provide a certificate showing the documents were destroyed. But even this isn't foolproof. A quick search on Google will show hundreds of stories about data being stolen from recycling plants.

    Business owners may want to take a look at the related links to learn more.

    Even if the company is aware of the laws and has trained their employees about their data security policies, they may fall victim to a hacker. In these attacks there are commas in the totals of records lost. Since "power" in the world has come to be defined by economic standards instead of military, attacks like this get the attention of National Security.

    The frustrating part of all this is that none of it is in your control. The government has written the laws but then sterilizes them in our courts, or delays enforcement to the point of ludicrous. It's gotten to the point that states are taking matters into their own hands to address some of the root causes of identity theft (i.e. taking away the market for stolen identities).