Learn How Identity Theft Happens

Phone and Email Scams, Data Breaches, and Dumpster Diving

Pickpocket taking wallet

Peter Dazeley / Getty Images

Identity theft can happen to anyone. Low-tech methods such as dumpster diving for data and telephone scams take advantage of the victim's behavior. In high-tech methods of identity theft involving data breaches, the situation is out of your control because your personal information is stolen from a business.

Safekeeping Official Family Documents

The best place to keep personal information at home is in a locked safe, although bank deposit boxes are still a great idea if you can afford one. The worst place to keep birth certificates, Social Security cards, passports, insurance documents, and the like is in the desk drawer.

A large number of cases involving children's identity theft are due to a parent's misuse of their own child's identity, but there are still plenty of cases where a friend of the family, or even another family member, was the culprit.

Dumpster Diving

Dumpster diving has been around for quite a while but used to be the province of detectives, private investigators, and the occasional industrial espionage agent looking for information on a competitor's clients. Many Americans don't realize that once something is thrown in the trash and put on the curb for pickup, you lose any "expectation to privacy".

The quick fix is to keep a paper shredder or "burn bag" next to your desk, and use it for mail that has your personal information, such as bank statements, credit card statements, utility bills, or insurance forms.

Mail, Phone, and Email Scams

Mail, phone, and email scams get data by relying on the notion that if you do something often enough, occasionally you score. Low-tech email scams are probably the most visible because they are cheap and easy. The scam artist can send out thousands at one time. These are really just phishing techniques aiming to get you into telephone conversations that can be recorded. It's possible to slip and unintentionally reveal private information to a skilled phone scammer.

Reputable financial organizations will not ask for any sensitive information by email. You may receive emailed prospecting letters asking you to use a certain investment firm or apply for a loan at a certain bank, but legitimate business is still done by phone, fax, in person, or through a secure website.

Avoid these phishing schemes by using some common sense:

  • Don't give out personal information over the phone. If you originated the call, or are certain you know the person on the other end, you can feel fairly safe. If you're not certain, ask for a number you can call back. Then call the business the caller said they represent. Ask if the person works there. If they do, you can be fairly confident your information is going where it should. If not, you have a phone number to help law enforcement track down the criminal.
  • Don't let someone repeat your credit card number over the phone. You never know who may be standing behind the person taking pizza orders on a Friday night. If they want to make sure to have the right credit card number, let them know you'll read the number twice for verification.
  • Don't send mail in your mailbox. Drop it at the post office. Identity thieves love to collect bill payments or credit card payments. They get your credit card number, but if you're paying by check, they get your account number as well.

These phishing methods may be part of a "Piracy Ring," an organized network of individuals who "recruit" a person who has access to information. For example, someone might approach the waiter at a restaurant and offer $5 for every credit card number they can get. That can be done while reading your card at the check-out, and most victims don't even notice when it happens. If you asked the waiter, it probably wouldn't even occur to them they are enabling identity theft.

High-Tech Data Breaches

The high-tech category represents a more sophisticated identity theft often called a data breach. The methods are often more covert, which makes them hard to detect or respond to. This is also the area a consumer has the least control over.

Most identity theft laws are designed to address this area. Laws such as the Fair and Accurate Credit Transactions Act (FACTA) and Health Insurance Portability and Accountability Act (HIPAA) focus on three key areas of record-keeping: how records are stored, how they are accessed, and how they are disposed of.

These laws require training to be given to anyone who handles your personal information, but for practical purposes, most businesses are so busy handling their day-to-day operations, compliance is not a given.

These laws also require written policies about how the company handles personal information, including how they get rid of it. FACTA requires it be shredded, burned, or otherwise destroyed so the information can no longer be read. Document destruction companies usually provide a certificate showing the documents were destroyed. But even this isn't foolproof. A quick internet search turns up hundreds of stories about data being stolen from recycling plants.

Even if the company is aware of the laws and trains its employees about their data security policies, they may increasingly fall victim to a hacker. Millions of people have had their personal health information and other personally identifiable information exposed in attacks on large corporations.

More than 3,800 breaches occurred in the first six months of 2019, according to a report by Risk Based Security. This is a 54% increase over the same time period in 2018. The majority of breaches resulted from outside attacks.