- Systematic review
- Open access
- Published: 10 February 2024
Identity fraud victimization: a critical review of the literature of the past two decades
- Yasemin Irvin-Erickson ORCID: orcid.org/0000-0002-1467-5960 1
Crime Science volume 13 , Article number: 3 ( 2024 ) Cite this article
1946 Accesses
1 Altmetric
Metrics details
This study aims to provide an understanding of the nature, extent, and quality of the research evidence on identity fraud victimization in the US. Specifically, this article reviews, summarizes, and comments on the state of empirical research of identity fraud victimization in the US based on a narrative review of 52 published empirical studies. Studies included in this review suggest that the prevalence of identity fraud in the US has increased over the years and existing account frauds is the most prevalent type of identity fraud. There is a pressing need for more research on the prevalence of identity fraud victimization among minors, institutionalized individuals, and individuals from minority groups; long-term prevalence of identity fraud victimization; and emerging forms of identity fraud such as synthetic identity fraud victimization. Studies included in this review further suggest that identity fraud risk factors vary based on the fraud type considered. Identity fraud victims can experience a variety of harms. Longitudinal studies following identity fraud victims are essential for reliably estimating the risk factors for identity fraud victimization and the impact of identity fraud victimization on individual victims. The research on services for identity fraud victims is limited and suggests the positive impact of trauma-informed services for serious identity fraud victims. The overwhelming lack of research on the impact of programs and services for identity fraud victims necessitates more attention from scholars to study the impact of programs, interventions, and services for identity fraud victims on reporting of victimization, prevention of victimization, experiences of victims, and victim-centered cost benefit analysis of services. Policy and practice implications of these findings are discussed.
Identity theft and associated frauds have increasingly attracted public attention in the United States (US) with highly publicized data breaches and millions becoming victims of this crime every year. Efforts to educate the public about identity theft have raised attention to the risks of identity theft and fraud, however, an in-depth exploration of identity fraud victimization is needed to further the field’s and the public’s understanding of this crime.
Despite the comparatively scant evidence on identity theft in the field of criminology, the research on identity theft in the US has started picking up speed in the past decade with the availability of nationally representative data on this topic through the Bureau of Justice Statistics’(BJS) National Crime Victimization Survey Identity Theft Supplement (NCVS-ITS). The NCVS is the US’s primary data source on victimization since 1972. The NCVS is administered to non-institutionalized individuals who are 12 years old or older from a nationally representative sample of households in the US. The ITS is a supplemental survey to the NCVS which is administered to the respondents to the NCVS survey who are 16 years old or older. The ITS was first implemented in 2008 and gets fielded approximately every two years. This leading national level data source on identity theft victimization asks respondents if they had been victims of different forms of identity theft in the past 12 months and beyond the past year and the characteristics and consequences of victimization and help-seeking behavior if respondents indicate they had been victims of identity theft.
There has been a few review studies on the state of the US literature on identity theft through funding by the Department of Justice offices. For instance, the first literature on identity theft by Newman and McNally ( 2005 ) funded by the National Institute of Justice explored what is known about identity theft and the knowledge gaps based on their review of publications of different organizations, complaint data, less than 10 surveys conducted by different organizations, and a handful of research studies published at the time of that review. Another review study by Irvin-Erickson and Ricks ( 2019 ) funded by the Office for Victims of Crime examined the state of the literature on fraud victimization based on research evidence from academic and non-academic sources and practice evidence sources (such as fact sheets, podcasts, and other sources that are not traditionally considered in reviews) published between 2000 and 2018. This study expands upon the aforementioned reviews by considering not only the scope of the literature on identity theft victimization published in the past two decades but also the quality of conduct of these studies to provide a broad yet nuanced understanding of the state of the literature on this topic and the knowledge gaps. Although the aforementioned reviews provided invaluable information about the opportunity structure, risks, and consequences of identity theft victimization and the needs of identity theft victims, similar to other traditional narrative reviews of the literature in the grey literature, these reviews did not include risk of bias and quality assessments of the sources of evidence included in these reviews. The current study fills this critical knowledge gap in our understanding of the state of the literature on identity fraud victimization through consideration of the risk of bias and the quality of each study included in this review.
Despite the increase in the number of studies on the topic of identity theft victimization over the past decade, the evidence base on identity theft victimization is still limited. Accordingly, this review did not follow the format of a systematic review and instead followed steps similar to a scoping review to gain an understanding of the nature, extent, and quality of the research evidence on identity fraud victimization. Specifically, this review aimed to answer the following questions to present the size, scope, and quality of the emerging evidence base on identity fraud victimization:
What are the trends in the US literature on identity fraud victimization?
What do we know from the US literature on identity fraud victimization?
What are the topics most and least commonly studied in the literature on identity fraud victimization?
What are the risks of bias associated with existing studies?
What do studies with lower risk of bias and/or higher quality demonstrate about key concepts studied by these studies?
What are the knowledge gaps in the US literature on identity fraud victimization?
By answering these questions, this review primarily aims to provide suggestions for future research on identity fraud victimization including potential research questions for future systematic reviews as the evidence base on this topic becomes denser at which point researchers can conduct larger knowledge syntheses. Accordingly, although risk of bias and quality of studies are assessed for each study included in this review, a meta-analysis or statistical pooling of studies has not been performed.
Definitional issues regarding identity theft
There is an increased interest in the field to differentiate between the terms of identity theft and identity fraud because not all identity theft incidents involve a fraudulent act at the time of theft of personal information. Javelin Strategy and Research (2021) defines identity theft as “unauthorized access of personal information” and identity fraud as identity theft incidents in which there is an element of financial gain. The Federal Trade Commission (FTC) and the BJS define identity theft as “fraud that is committed or attempted using a person’s identifying information without authority” (FTC, 2004 ; Harrell, 2019 , p. 18). The acts considered by the BJS under this definition include unauthorized use or attempted use of an existing account, unauthorized use or attempted use of personal information to open a new account, and misuse or attempted misuse of personal information for a fraudulent purpose (Harrell, 2019 ).
Researchers differentiated between three stages of identity theft: acquisition of personal information, use of personal information for illegal financial or other gain, and discovery of identity theft (Newman & McNally, 2007 ). Personal information can be acquired through different means ranging from simple physical theft to more complex and even legal ways such as scams, cyber, or mechanical means and purchasing the information from data brokers. The acquired personal information is used for financial gain or other criminal purposes (Newman & McNally, 2007 ). However, fraudulent use of information might not happen at the time of acquiring of information and once personal information is exposed, a person can become an identity theft victim multiple times.
Another important stage of identity theft is the discovery of theft of personal information and associated frauds because the longer the discovery period is the less likely it is for victims to contact law enforcement (Randa & Reyns, 2020 ) and the more likely it is for them to experience aggravated consequences (Synovate, 2007 ). Police reports are critical for victims to pursue an identity theft case (OVC, 2010 ). For victims of certain forms of identity theft, the discovery of victimization can take as long as 6 months or more (Synovate, 2003 , 2007 ). In cases where personal information is exposed due to data breaches, victims might have greatly varying experiences of when and what they learn about this exposure (if at all) and the services available to them. Currently, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring businesses, and in most states, government organizations to notify individuals of security breaches involving personal information (National Conference of State Legislatures, 2022 ). However, the decisions of organizations on whom to notify (such as the victims, the FTC, or law enforcement), when to notify, and how to notify can drastically vary from one geography to another based on laws. Two groups can become targets of identity fraud: individuals whose personal information is stolen and organizations which are in care of the stolen personal information or which become targets of fraud. Law enforcement might be more likely to put emphasis on organizations as visible and collective targets of identity theft (Newman & McNally, 2005 ).
In recognition of the stages and targets of identity theft, there has been an interest in the field to differentiate between the terms of identity theft and identity fraud. In popular knowledge, the terms “identity theft” and “identity fraud” have been used interchangeably considering the interrelated nature of acts considered under these terms. However, it is acknowledged that these terms legally refer to different things (Newman & McNally, 2005 ).
In statute, identity theft was legally defined at the federal level with the Federal Identity Theft and Assumption Deterrence Act (ITADA) of 1998 (Newman & McNally, 2005 ). ITADA made it a federal offense to “knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law” (the Identity Theft Act; U.S. Public Law 105-318). Prior to this legal definition of identity theft in the US, the terms “identity theft” and “identity fraud” were used to primarily distinguish between the individual victims and collective victims with the former being referred to as victims of identity theft and the latter as victims of identity fraud (McNally & Newman, 2008 ). In later years, these terms have been used to differentiate between the act of unlawful acquisition of identity information and the fraudulent use of personal information.
Over the years, different research and practice sources have generally considered the following acts under identity theft and identity fraud: criminal identity theft in which individuals use others’ personal information during interactions with law enforcement or for committing other crimes (Button et al., 2014 ); existing account frauds where an individual makes unauthorized charges to existing accounts such as bank, credit card, and other existing accounts; medical/insurance identity theft in which an individual fraudulently uses somebody else’s personal information to receive medical care; new account frauds in which an individual’s personal information is used unlawfully to open a new account; social security number (SSN) related frauds in which an individual uses the victim’s SSN to file for a tax return, for employment, or to receive government benefits; and synthetic identity theft in which different pieces of real and fake identity information are combined together to create an identity and to commit frauds (Dixon & Barrett, 2013 ; FTC, 2017 , 2018 ; GAO, 2017 ; Pierce, 2009 ).
The opportunity structure for identity theft
Earlier research on perpetrators of identity theft, using a conceptual framework informed by Cornish and Clarke’s ( 1986 ) Rational Choice Theory and the methodology of crime script analysis, has focused on the motivations and methods of committing identity frauds (see Copes & Vieraitis, 2009 , 2012 ) and the impact of experiences of perpetrators’ on their criminal involvement and criminal event decisions (Vieraitis et al., 2015 ). Regarding the organizational level of identity frauds, research has shown that perpetrators of identity theft and fraud might range from individuals to street-level and more advanced criminal organizations (Copes & Vieraitis, 2009 , 2012 ; Newman & McNally, 2007 ). Although earlier research has shown that perpetrators of identity theft used low-technology methods (Copes & Vieraitis, 2009 , 2012 ), perpetrators of identity theft have started using more complex schemes and relying more heavily on the internet to acquire identity information over the years (Pascual et al., 2018 ).
The number of identity fraud victims who know the perpetrators has decreased over the years. For instance, in 2008, about 40% of identity fraud victims knew how the incident happened, and from those, about 30% believed that their information was stolen during a purchase or other interaction and 20% believed that their personal information was stolen from their wallet, 14% believed the information was stolen from files at an office, and another 8% believed that the information was stolen by friends or family (Langton & Planty, 2010 ). In 2012, about 32% of identity victims in the US knew how their personal information was stolen and 9% knew the identity of the perpetrator (Harrell & Langton, 2013 ). Comparatively, in 2018, 25% of identity fraud victims knew how the offender obtained the information and 6% of victims knew something about the perpetrator (Harrell, 2021 ). This unknown status of how the information is obtained or who the perpetrator is sometimes interpreted as the technology-facilitated nature of the acquisition of information (Newman & McNally, 2005 ). However, victims of instrumental identity theft in which an individual’s information is stolen to commit other frauds and crimes, and individuals who have been victims of multiple types of identity theft in the recent past, are more likely to know how their information was stolen and the perpetrator (Harrell, 2019 ). New research examining the impact of the pandemic on identity fraud further suggest an increase in identity fraud scams and loan fraud in which perpetrators directly target consumers and a significant portion of victims of identity fraud scams and loan fraud (about 3 in every 4 victims) knowing their perpetrators (Buzzard & Kitten, 2021 ).
The most frequent way identity theft victims become known to authorities in the US is complaints to financial institutions (Harrell, 2021 ). The other ways victims report their victimization include complaints to federal institutions [such as the FTC and the Internet Crimes Complaint Center (IC3)] and non-governmental organizations [such as the Identity Theft Resource Center (ITRC) and the National Consumers League (NCL)] and crime reports to law enforcement.
In the past decade, federal and non-profit organizations increased their efforts to educate consumers on risks and reporting of identity theft and how to deal with the ramifications of fraud victimization. Several federal and other organizations provide information for services victims can receive such as reporting and assistance hotlines, civil and criminal legal services, and trauma informed counseling. Other available responses to identity theft include credit and identity theft monitoring, identity theft insurance, and identity theft restoration; however, these responses are typically provided by for-profit companies. Depending on who the victim contacts, victims might not be uniformly informed about all options available to them. Many victim service providers working in organizations funded by the Victims of Crime Act do not have the resources to recognize and respond to fraud’s harms (OVC, 2010 ). Furthermore, even when services are available, there might be significant barriers against victims’ access to these resources including financial barriers. Currently, majority of services available to identity theft victims are geared towards handling out-of-pocket expenses.
At the time of this review, there was a fast evolving opportunity structure for identity theft and identity fraud due to the hardships inflicted on individuals by the economic and health crises. Direct stimulus payments, increased loan applications, and the overall increase in online activities during the pandemic have provided increased opportunities for identity frauds such as account takeovers (Tedder & Buzzard, 2020 ) and identity frauds in relation to scams (Buzzard & Kitten, 2021 ). Furthermore, low-income individuals, older individuals, individuals who depend on others for their care, and individuals who might not have control over their finances can experience aggravated harms as a result of identity fraud victimization. Furthermore, some victims might experience a significant damage to their reputations (Button et al., 2014 ). All of these conditions necessitate more scientific inquiry and a better understanding of existing research evidence base on identity fraud.
Scope of review
This review focuses only on identity fraud victimization and excludes studies that focus on theft of personal information but not the fraud aspect of identity theft. As an example, although skimming, intentional data breaches, and mail theft are acts of identity theft, if a research study focused solely on these acts but not the fraud aspect, that study was excluded from the review. The review further excluded research on identity frauds targeting organizations and governments, harms of identity fraud to businesses and institutions, and research studies focusing on victims in countries other than the US. The review also excluded sources in which no data collection and analysis was attempted, paid research content, and research summaries with limited or no information about methodology.
The current review included empirical research studies that focus on identity fraud victimization in the US which were published in English and between January 2000 and November 2021. The resources that were reviewed included journal articles, PhD dissertations, government reports, and other reports found in major social science research databases and on websites of organizations focusing on identity theft. This review adopted a broad definition of “empirical” research focusing on studies using both quantitative and qualitative data analysis methods including descriptive analysis.
In this review, a comprehensive search strategy was used to search the literature for relevant studies. The search strategy was consisted of (1) a formal search of academic databases using search strings based on Boolean operators Footnote 1 and (2) an informal search of grey literature using keyword searches and searches on the websites of organizations focusing on identity fraud. Searches were conducted in the following academic databases: Proquest Social Sciences Collection, Web of Science Social Sciences Citation Index, Wiley Online, JSTOR, Criminal Justice Abstracts, SocIndex Full text, and Violence and Abuse Abstracts. Additional searches were completed on the websites of the BJS, the Internet Crime Complaint Center (IC3), the FTC, the ITRC, Javelin, the National White Collar Crime Center (NW3C), and the Ponemon Institute.
299 potential studies were identified through database searches (excluding duplicate records) and 37 publicly available empirical studies were identified from websites of leading organizations on identity fraud. Ultimately, 29 sources from these database searches and 23 sources from the aforementioned organizations met the inclusion criteria for this review (see Appendix 1 for the screening process). These included articles are denoted with an asterisk (*) in the references section.
Appraisal of quality of studies
Studies included in this review were appraised for methodological quality. Quality appraisal was conducted after deeming a study eligible for the review based on the inclusion criteria specified earlier. Appendix 2 and Appendix 3 show the two quality appraisal tools that were adapted from Hoy et al. ( 2012 ) and Mays and Pope ( 2020 ). Each quantitative study was assigned into one of three categories based on the evaluation of risk of study bias: low, moderate, or high risk of bias. Each qualitative study was assigned into one of three categories based on the evaluation of quality: low, medium, or high quality. For the only mixed-method study in this review, risk of bias and study quality were evaluated separately for qualitative and quantitative elements of the study. More information about quality rating process and quality ratings of studies can be found in Appendix 4 and notes on bias and quality assessments for included studies can be found in Appendix 5.
Trends of identity fraud victimization research
Of the 52 studies included in this review, the majority were NGO reports (n = 22) followed by journal articles (n = 18), government reports (n = 7), and PhD dissertations (n = 5). Almost all of the white papers from government organizations and NGOs (n = 28) were descriptive quantitative studies. All of the white papers included in this review (n = 29) were based on survey data. Of the 23 academic studies (i.e., journal articles and dissertations) included in the review, 19 quantitative studies used surveys and 4 qualitative studies used interviews or focus groups discussions as their data source. Among these 23 academic studies, the primary data analysis method was regression analysis (n = 15) followed by descriptive quantitative data analysis (incidence, correlation, ANOVA analyses (n = 4), narrative analysis (n = 3), and phenomenological analysis (n = 1). Only one quantitative study included in this review used a quasi-experimental design with propensity score matching, and none of the quantitative studies included in the review had random assignment. The earliest journal article included in this review was published in 2006 and half of the journal articles included in this review (n = 9) were published between 2019 and 2021 (n = 9).
The studies in this review thematically fell into one or more of the following four areas of identity fraud victimization research: (1) prevalence, incidence, and reporting, (2) risk factors, (3) harms, and (4) prevention, programs, and services. From the 52 studies included in this review, 31 focused on harms, 22 focused on prevalence, incidence, and reporting, and 15 focused on risk factors. Notably, only 3 studies included in this review focused on services for identity fraud victims and among these studies there were no experiments with random assignment focusing on the effectiveness of specific programs or interventions for identity fraud victims (see Table 1 for subtopics and citations of identity fraud studies included in this review).
Prevalence, incidence, and reporting of identity fraud victimization
A significant number of studies included in this review (n = 22) focused on the extent and reporting of identity fraud victimization, however the majority of these publications (n = 13) were evaluated to have a high risk of bias. Nine of the 22 publications in this area which were evaluated to have lower risk of bias (i.e., low or moderate risk of bias), were based on nationally representative surveys by the BJS and the FTC.
Prevalence, incidence, and types of identity fraud victimization
National estimates.
Seven lower bias studies included in this review uniformly demonstrated that the incidence and prevalence of identity fraud victimization have increased between early 2000s and 2018, and misuse or attempted misuse of an existing account has been the most common type of identity fraud victimization over the years (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ; Synovate, 2003 , 2007 ).
The FTC, the first organization that collected national survey data on identity fraud based on phone surveys of US adults aged 18 and older in 2003 and 2006 estimated that approximately 10 million, or 4% of US adults, experienced identity fraud in the year preceding data collection (Synovate, 2003 , 2007 ). As indicated earlier, BJS has been collecting individual-level data on identity fraud since 2008. The 2008 iteration of the NCVS-ITS was significantly different than the later iterations of the NCVS-ITS conducted in 2012, 2014, 2016, and 2018. Results from the 2008 NCVS-ITS are not comparable to the results from the subsequent surveys. One important limitation of the NCVS-ITS is that it does not include individuals younger than 16 and individuals living in institutional and transient settings in its sample (Harrell, 2021 ). Another limitation of the NCVS-ITS is that although it was designed to distinguish between victims of attempted identity fraud and victims of successful frauds, the 2008 NCVS survey couldn’t successfully distinguish between the two (Langton & Planty, 2010 ). Accordingly, reports based on the NCVC-ITS fielded between 2008 and 2018 do not provide disaggregated statistics on these two groups.
The 2008 NCVS-ITS, despite being different than the 2003 and 2006 surveys of the FTC with regards to its shortest prevalence and the age interval of its study participants, similarly found that 11.7 million, or 5% of all persons aged 16 or older in the US, have been victims of at least one type of identity fraud in the two years preceding the survey (Langton & Planty, 2010 ). Later iterations of the NCVS-ITS highlighted a significant increase in the share of identity theft victims among persons aged 16 and older, especially after 2015. While the 2012 and 2014 NCVS-ITS estimated that approximately 7% of all persons aged 16 or older in the US had been victims of identity fraud in the past year (Harrell, 2017 ; Harrell & Langton, 2013 ), the 2016 and 2018 iterations of the NCVS-ITS estimated that approximately 10% and 9% of persons aged 16 or older in the US had been victims of at least one form of identity fraud in the past 12 months, respectively (Harrell, 2019 , 2021 ).
In the FTC and the BJS identity theft surveys, three main subcategories of identity fraud are captured: existing account frauds, new account frauds, and use of personal information to commit other frauds. The FTC and the BJS surveys over the years have showed that existing credit card frauds are the most prevalent form of identity fraud victimization (Harrell, 2017 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ; Synovate, 2003 , 2007 ). Notably, neither the FTC nor the BJS surveys captured synthetic identity frauds.
In the FTC and the BJS surveys, more detailed forms of identity frauds are captured under the main subcategories of existing account, new account, and other frauds. The FTC reports included in this review provided estimates on identity theft victims who had been affected by these detailed identity fraud categories (see Synovate, 2003 , 2007 ). For instance, according to the 2006 FTC identity theft survey, fraudulent use of credit cards (existing account frauds), opening of new credit cards (new account frauds), and use of personal information to commit other crimes (other frauds) were the most frequently experienced detailed fraud types under the three broad subcategories of identity fraud (Synovate, 2007 ). Although the NCVS-ITS also collects data on detailed forms of frauds under these three categories, neither the BJS reports nor the academic studies in this review based on the NCVS-ITS provided disaggregated information on detailed categories of identity fraud considered under “new account” and “other fraud” categories. However, publications based on the NCVS-ITS showed that, existing credit card frauds is the most prevalent existing account fraud subcategory followed by bank account and other existing account frauds (Harrell, 2017 , 2019 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ).
Currently, surveys from the Ponemon Institute, which were classified to have high risk of bias, provide the most in-depth insights into medical identity fraud. In Ponemon surveys, medical identity fraud is defined as the use of an individual’s personal identity to fraudulently receive medical service or prescription drugs and goods, including attempts to commit fraudulent billing (Ponemon Institute, 2011 ). The number of US adult individuals who experienced medical identity fraud at some point in time increased from 1.49 million in 2011 to 2.32 million in 2014 (Ponemon Institute, 2011 , 2012 , 2013 , 2015 ). Lastly, another study with high bias risk by Navarro and Higgins ( 2017 ) found that among victims of familial identity fraud (identity frauds committed by family members), the most frequent type of identity fraud experienced was misuse of personal information for instrumental frauds such as government benefit frauds.
Although there is a recall bias associated with using cross-sectional surveys to capture distant past experiences, data from the FTC and the BJS surveys also provide important information about individuals’ exposure to multiple forms of identity theft and their repeat victimization. In 2003, the FTC estimated the 5-year prevalence rate of identity fraud victimization among US adults to be 12.7% (Synovate, 2003 ). In 2012 and 2014, the NCVS-ITS estimated that about 14% of individuals aged 16 and older experienced at least one incident of identity fraud in their lifetime (Harrell, 2017 ; Harrell & Langton, 2013 ). Analyses based on the two most recent iterations of the NCVS-ITS further show that nearly 1 in 5 persons aged 16 and older experienced identity fraud in their lifetime (Harrell, 2019 , 2021 ).
Data from the NCVS-ITS further show that number of identity fraud victims who experienced multiple types of identity fraud victimization in a single incident decreased between 2016 and 2018 and majority of multiple identity fraud victims in a given year experienced fraudulent use of a combination of existing accounts (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). According to the 2008 NCVS-ITS, about 18% identity fraud victims experienced multiple types of identity fraud during their most recent victimization in the past year. Studies based on the 2012, 2014, 2016 iterations of the NCVS-ITS estimated that approximately 8% of victims experienced multiple types of identity fraud during a single incident (Harrell, 2017 , 2019 ; Harrell & Langton, 2013 ). According to the 2018 NCVS-ITS, only 6% of the identity fraud victims experienced multiple identity victimization in the past year (Harrell, 2021 ).
Subnational estimates
Publications by the AARP included in this review, which were evaluated to have a high risk of bias due to several design issues (see Appendix 5), showed that 15% to 30% of individuals who participated in the AARP surveys in Colorado, Minnesota, Montana, Oklahoma, Washington, and West Virginia have been victims of identity fraud or knew someone who has been victim of identity fraud in the past 5 years (see Binette, 2004 ; Burton, 2008 ; Dinger, 2006 ; Sauer, 2005 , 2010 ; Silberman, 2004 ).
Discovery of identity fraud victimization
Although majority of identity fraud victims discover their victimization quickly, some victims, and especially victims of new account frauds and other frauds, might be more likely to have a long discovery period (Synovate, 2003 , 2007 ). FTC surveys estimated that for 33% to 40% of all identity fraud victims, it took less than one week to discover that their personal information was misused (Synovate, 2003 , 2007 ). The same surveys further found that the discovery period was the quickest for victims of existing account frauds; and, victims of new account and other frauds were the least likely to discover their victimization within one week (Synovate, 2003 , 2007 ). Furthermore, for 24% to 27% of new account and other fraud victims, it took them 6 months or more to discover their victimization as opposed to less than 5% for existing credit card and other existing account victims (Synovate, 2003 , 2007 ). In parallel with these findings, the 2014 Ponemon medical identity fraud study found that most victims of medical identity fraud did not learn about their victimization until 3 months after the incident (Ponemon Institute, 2015 ). Surveys by the BJS over the years have consistently shown that the most common way identity fraud victims discover their victimization was through contact from a financial institution for victims of existing account frauds and contact from a non-financial institution for other types of identity fraud (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ).
Reporting of identity fraud victimization
The studies included in this review demonstrated that there is a considerable risk of underreporting of identity fraud victimization to authorities (especially to law enforcement) and to organizations which can provide the necessary information and services to handle the aftermath of victimization.
Looking at studies from early 2000s, the 2003 and 2006 FTC surveys show that, 38% of identity fraud victims did not report their victimization to any organization. In both surveys, 43% of the victims reported their victimization to the company that issued an existing credit card/account or the company that issued the new account and close to 75% of survey participants did not report their victimization to law enforcement (Synovate, 2003 , 2007 ). According to the 2008 NCVS-ITS, the majority of victims (68%) contacted a credit bureau or a bank to report their victimization. The 2008 NCVS-ITS estimated the reporting of identity fraud victimization to law enforcement at 17% (Langton & Planty, 2010 ), which is lower than the FTC surveys’ estimates of 25% in 2003 and 2006 (Synovate, 2003 , 2007 ). The later iterations of the NCVS-ITS confirmed the findings from earlier surveys by showing that not only identity fraud is underreported to law enforcement but reporting of identity fraud to law enforcement decreased significantly after 2008 with less than 10% of victims reporting their most recent victimization to law enforcement in 2012, 2014, 2016, and 2018 (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ). However, the same NCVS-ITS surveys also showed an uptick in reporting of identity fraud to non-law enforcement agencies. According to the 2012, 2014, 2016, and 2018 NCVS-ITS surveys, about 9 in 10 identity fraud victims reported their victimization to a non-law enforcement agency (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ) with credit card companies and banks being the most frequently contacted organizations and non-law enforcement victim service organizations being the least contacted organizations by the victims.
BJS reports based on all 5 iterations of NCVS-ITS further suggest that victims of existing account frauds are less likely than victims of new account frauds and other frauds to report their victimization to law enforcement (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). The most common reason for victims to not report their victimization to law enforcement was victims handling the incident in a different way such as reporting their victimization to another non-law enforcement agency (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). Other reasons for victims to not report their victimization to law enforcement include victims not suffering any monetary loss; victims thinking law enforcement cannot help them; victims thinking their victimization is not important enough; victims not knowing they can report their identity fraud victimization to police; victims being embarrassed, afraid, or burdened to report their victimization; and perpetrator being a family member or an acquaintance (Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). The 2014 Ponemon Institute study similarly found that victims of comparatively more serious identity fraud cases are more likely to contact law enforcement. Ponemon surveys found reasons similar to those identified by the NCVS-ITS for victims not reporting their victimization to legal authorities (Ponemon Institute, 2012 , 2013 , 2015 ).
Two academic studies by Golladay ( 2017 ) and Reyns and Randa ( 2017 ), both based on the 2012 iteration of the NCVS-ITS, provide additional insight into reporting of identity frauds. According to Golladay ( 2017 ), higher income victims are more likely to report their victimization to a credit card company or financial institution whereas people of color, individuals who know the perpetrator, and individuals who did not have prior identity fraud victimization or who had a lower number of identity fraud victimization experiences in the past year were more likely to contact law enforcement. The Golladay ( 2017 ) finding on the positive relationship between knowing the offender and the likelihood of contacting organizations is surprising considering, the descriptive analysis of the NCVS-ITS suggest that individuals knowing the offender is a reason for not contacting law enforcement (Harrell & Langton, 2013 ). This discrepancy might be due to the increasingly technological nature of identity fraud cases where victims who know anything about the offender contacting the police or the omission of some variables in relation to the severity of identity fraud (such as discovery time or time spent trying to resolve issues in relation to victimization) from the regression models. According to the same study (Golladay, 2017 ), people of color (in comparison to individuals who identify as White), individuals who knew the perpetrator (in comparison to people who did not know), individuals with a higher monetary loss as a result of their victimization, and victims who experienced a higher number of identity frauds in the past year were more likely to report their victimization to a credit bureau.
Another study by Reyns and Randa ( 2017 ) compared the factors affecting reporting of victimization among victims of credit card fraud, bank fraud, any existing account fraud, and new accounts fraud. According to this study, seriousness of the offense (which the authors describe as incidents in which victims experienced more emotional distress and had more out of pocket losses and perpetrators obtained more money) appears as the only common factor affecting the decision to report victimization to law enforcement among all identity frauds considered. Other factors such as knowing how the personal information was obtained and a shorter time period between the fraud incident and the discovery of victimization were associated with increased odds of contacting law enforcement for credit card and bank fraud victims. According to the same study (Reyns & Randa, 2017 ), reporting the incident to a non-law enforcement agency was associated with increased odds of contacting law enforcement among victims of existing account frauds, however a sub-analysis of reporting patterns among bank fraud and credit card fraud victims showed that, while bank fraud victims who contacted other agencies were more likely to contact law enforcement, victims of credit card fraud who contacted other agencies were not as likely to contact law enforcement. This study further showed that income and sex were significant predictors of reporting when subcategories of identity fraud were considered. Victims of credit card fraud with higher incomes and female victims of new account frauds were less likely to report their victimization to law enforcement.
Other academic studies, which were evaluated to have a high risk of bias, provide additional insight into reporting behavior of identity fraud victims. A study by Gray ( 2010 ) found that individuals who knew which law enforcement agency to contact for reporting identity fraud were most likely to contact law enforcement (Gray, 2010 ). Another online survey of school counselors by Marcum et al. ( 2016 ) found that counselors who are White, who have a higher level of education, and who work in urban school settings were less likely than their counterparts to complete an incident report about identity fraud victimization reported by students.
Risk factors for identity fraud victimization
From the 52 publications included in this review, 15 focused on risk factors of identity fraud victimization. According to the evaluation of risk of bias among these 15 studies, 6 were classified to have a low risk of bias; 3 to have a moderate risk of bias and 6 to have a high risk of bias. The 9 studies with low and moderate risk of bias ratings suggest several individual-level risk factors for identity fraud victimization. Among these studies, demographic factors were the most commonly studied individual-level predictors of identity fraud victimization. The biggest takeaway from these studies is that predictors of identity fraud victimization vary significantly based on the identity fraud victimization type considered.
Among all demographic factors studied, the findings from different studies on the relationship between age, income, and identity fraud risk were in most agreement. In the broader victimology literature, victims and especially victims of violent crime have been shown to be younger (Turanovic & Pratt, 2019 ). The studies included in this review generally suggest that victims of identity fraud are older than victims of other crimes. However, as indicated in the earlier section, minors under the age of 16 who might be at increased risk of identity fraud victimization due to their clean credit histories and lack of control over their finances (FTC, 2011 ), have not been included in identity fraud data collection efforts in the studies that were reviewed. Accordingly, this exclusion should be taken into consideration in the comparison of age patterns among identity fraud victims and victims of other crimes. Although victims of existing bank account frauds tend to be slightly younger than victims of existing credit card frauds and new account frauds, overall, lower bias studies included in this review show that the victims of existing account frauds and new account frauds tend to be in older age categories (35–64 years of age) (see Anderson, 2006 ; Burnes et al., 2020 ; Copes et al., 2010 ; Harrell & Langton, 2013 ; Harrell, 2017 , 2019 , 2021 ; Langton & Planty, 2010 ). Another important finding from lower bias studies included in this review was that identity fraud victimization risk decreases after age 65 and individuals who are aged 75 and older have a lower risk of identity fraud victimization in comparison to other age groups (Anderson, 2006 ; Harrell & Langton, 2013 ).
High income was another common predictor of identity fraud among the majority of studies included in this review. Several lower bias studies not only showed that among all identity fraud victims, individuals with a household income of $75,000 or more are more likely to be an identity fraud in the general victim population (Anderson, 2006 ; Harrell, 2017 , 2019 , 2021 ; Langton & Planty, 2010 ; Reyns, 2013 ) but this pattern also holds for the subcategory of existing credit card/bank account fraud (Burnes et al., 2020 , 2017 , 2019 ). One exception to this finding was a study by Copes et al. ( 2010 ), which was evaluated to have a moderate level of bias, which showed that although the typical identity fraud victim earned $50,000 to $75,000, victims of non-credit card identity frauds were majority low-income individuals.
The relationship between racial/ethnic minority status and identity fraud victimization risk was another commonly studied topic. Based on the lower bias studies included in this review, the evidence on this relationship was mixed. Findings from the most recent studies based on the NCVS-ITS demonstrate the clear need for differentiating between credit card frauds and other types of identity frauds for exploring the nature of this relationship. A study by Anderson ( 2006 ) based on a regression analysis of data from the 2003 FTC survey showed that, when all identity fraud types are taken into consideration, individuals who identity themselves in the “Other” race/ethnicity group, which included individuals who do not identify as African American/Black, Asian, Hispanic, or non-Hispanic White, were more likely to become victims of identity fraud in comparison to individuals who identify with these racial/ethnic categories. On the other hand, later descriptive analyses based on NCVS-ITS showed that non-Hispanic White individuals were more likely to be victims of identity fraud in the general victim population and this pattern also held true for victims of existing credit card fraud (Burnes et al., 2020 ; Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). Some of the lower bias studies included in this review showed that there were no differences between different racial/ethnic categories in their risk of experiencing existing bank account frauds (Harrell, 2017 ; Harrell & Langton, 2013 ), new account frauds, and other frauds (Burnes et al., 2020 ). One notable exception to this finding was results from the Copes et al. ( 2010 ) study which showed that victims of non-credit card frauds were more likely to be Black.
Similar to the relationship between racial/ethnic identity and victimization risk, the evidence on the relationship between sex and identity fraud victimization risk was mixed. While some of the lower bias studies included in this review suggested that there was no significant relationship between an individual’s sex and their identity fraud victimization risk (even when different subcategories of identity fraud were considered; see Burnes et al., 2020 ; Harrell, 2019 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ), other studies found that females have a higher victimization risk in general (Anderson, 2006 ; Copes, 2010 ; Harrell, 2021 ) and especially for non-credit card frauds (Anderson, 2006 ; Copes, 2010 ).
Lower bias studies included in this review further showed that other less commonly studied demographic factors such as education, marital status, number of children in the household, and number of adults in the household can be related to risk of identity fraud. While earlier studies found no relationship between marital status and identity fraud risk (Anderson, 2006 ; Copes, 2010 ), a recent regression study by Burnes et al. ( 2020 ), which was based on the 2012 and 2014 iterations of the NCVS-ITS, found that married people were more likely to be victims of instrumental identity frauds. The same study (2020) further showed that individuals who have attended at least some college degree have a higher likelihood of becoming a victim of an existing or new account fraud. The study by Copes ( 2010 ) also found that individuals with more than a high school education were more likely to become identity fraud victims. Although far less commonly studied, a higher number of children in the household (three or more) and having only one adult in the household were also found to be associated with a higher identity fraud victimization risk (see Anderson, 2006 ).
Burnes et al. ( 2020 ) further showed that individuals who experience multiple instances of identity fraud in a short amount of time and individuals who chronically experience identity fraud victimization are more likely to experience identity fraud victimization later. Repeat victimization is a particularly understudied topic within the literature on identity fraud and has important implications considering stolen personally information can be used over the years and the conditions that enable victimization in the first place can predict further victimization.
Lastly, a few of the lower bias studies included in this review examined the relationship between individuals’ protective behavior, routine online activities, and self-control and their risk of identity fraud victimization. For instance, Copes et al.’s ( 2010 ) study found that victims of identity fraud did not engage in any more risky behavior than non-victims and spent about the same time online as average Americans. Other more recent studies on the other hand found a significant relationship between lifestyles, routine activities, self-control and identity fraud victimization. For instance, Holtfreter et al. ( 2015 ) conducted a phone survey with individuals aged 60 and older living in Arizona and Florida and found that individuals who have a lower level of self-control were more likely to engage in risky online purchases and subsequently more likely to become identity fraud victims. Burnes et al. ( 2020 ) further found that some protective behaviors employed by individuals such as changing online passwords and shredding and destroying documents reduced the risk of identity fraud victimization.
Other studies that were evaluated to have a higher risk of bias also provided support for the findings discussed above and provided additional insights into predictors of identity fraud victimization. However, the findings from these studies should be considered carefully considering each study’s limitations (see Appendix 5). For instance, a study by Cornelius ( 2016 ) based on an online survey found that the higher an internet user’s knowledge of phishing risks, the higher likelihood that the user was victimized by online theft. In another study, Holt and Turner ( 2012 ) administered a survey to students, faculty, and staff at a university and found that females and individuals who update their protective computer software were more resilient against identity fraud. Kpaduwa ( 2010 ) conducted a survey with university students and found no significant correlation between students’ knowledge of identity fraud and their risk of identity fraud victimization. Another study by Navarro and Higgins ( 2017 ) found that victims of familial identity theft, younger victims, and repeat victims of identity fraud were more likely to experience non-account identity frauds. Ponemon Institute ( 2011 ) provided further support for the findings from lower bias studies by showing that victims of medical identity fraud tend to be older. Lastly, in another college sample, Reyns et al. ( 2019 ) found that the time spent sending e-mailing was positively correlated with identity fraud victimization risk.
Harms and consequences of identity fraud victimization
From the 52 publications included in this review, 31 focused on harms of identity fraud victimization. Studies based on the NCVS-ITS once again provide the most robust evidence on both economic and non-economic harms of identity fraud.
Economic consequences of identity fraud victimization
The studies included in this review focused on both direct costs of identity fraud for victims, which can include out-of-pocket and reimbursed losses to the victim and indirect costs such as monetary costs associated with dealing with the aftermath of the victimization experience (such as legal costs, bounced checks, and other expenses), lost wages, difficulty finding jobs, being denied loans, and damaged credit scores. The lower bias quantitative studies included in this review based on national samples revealed the following main findings: (1) the majority of identity fraud victimizations result in direct financial loss; (2) the initial money lost does not always result in out of pocket loss; (3) certain demographic factors might predict the likelihood of experiencing out of pocket losses; (4) the indirect and direct loss amount differs by the type of identity fraud victimization; and (5) victims whose personal information is used for other fraudulent purposes are most likely to experience direct and indirect losses, credit related problems, and other financial problems (Green et al., 2020 ; Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ; Reynolds, 2020 ; Synovate, 2003 , 2007 ).
For instance, the most recent statistics based on the 2018 iteration of the NCVS-ITS show that 68% of victims experienced a direct loss of $1 or more as a result of their most recent victimization (with a median loss of $200) but from these victims only 12% experienced an out of pocket loss of $1 or more (with a median out of pocket loss of $100) (Harrell, 2021 , p. 9). According to the same survey, among all victims, only 5% experienced an indirect loss that was $1 or more (with a median loss of $30) (Harrell, 2021 , p. 10). The same survey further showed that victims of existing account frauds were least likely to experience direct and indirect costs whereas individuals whose personal information was stolen for other fraudulent purposes were most likely to experience direct and indirect costs (Harrell, 2021 ). Another important trend is that victims who have a long discovery time had more severe economic consequences. For instance, the 2006 FTC survey found that while 30% of victims who discovered that their personal information was being misused 6 months or more after the incident spent $1000 or more to handle the aftermath of their victimization, only 10% of those who found the misuse within 6 months spent $1000 or more.
A recent study by Reynolds ( 2020 ) further found a relationship between economic costs and demographics. Individuals with lower income and educational attainment and unmarried individuals are at higher risk of experiencing out of pocket losses as a result of their identity fraud victimization. Another study by DeLiema et al. ( 2021 ) based on the 2014 and 2016 iterations of the NCVS-ITS also found that, among older adults, individuals who live at or below the federal poverty level were most likely to experience out of pocket losses.
Other high bias studies included in this review provide further support for the lower bias studies included in the review. For instance, studies by the Ponemon Institute found that medical identity fraud victims can experience distinct indirect costs such as increased insurance premiums and lost medical coverage (Ponemon Institute, 2011 , 2012 , 2013 , 2015 ). ITRC surveys further showcased the aggravated economic harms experienced by victims of comparatively more serious cases of identity fraud (i.e., non-account frauds) (see ITRC, 2003 , 2005 , 2007 , 2008 , 2009 , 2010 , 2014 , 2015 , 2017 , 2018a , 2018b , 2021 ).
Non-economic consequences of identity fraud victimization
The lower bias studies included in this review which are based on national surveys showed that a significant number of identity fraud victims (estimates ranging from 80 to 90%) experience some level of distress as a result of their victimization. Victims of new account frauds and other frauds (in comparison to victims of existing account frauds), victims of multiple types of identity fraud (in comparison to victims of one type of identity fraud), and victims who spend a longer time resolving problems associated with their victimization are much more likely to experience severe distress as a consequence of their victimization (Harrell, 2017 , 2019 ; Harrell & Langton, 2013 ; Langton & Planty, 2010 ). National studies further suggest that a small group of identity fraud victims might experience physical problems, legal problems, and problems with family, friends, work, and school in relation to their identity fraud victimization (Langton & Planty, 2010 ; Harrell, 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Reyns & Randa, 2020 ).
Looking deeper into the time burden aspect of identity fraud, national studies over the years revealed that, unsurprisingly, victims who discovered their victimization later spent a longer amount of time resolving the ramifications of their victimization (Synovate, 2003 ). These surveys further estimated that between 25 and 50% of victims resolved any issues experienced as a result of their victimization within 1 day of discovering they were victims (Harrell 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Synovate, 2007 ) but for a smaller group of victims (less than 10% of the victims) resolving issues took 6 months or more (Harrell 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ). National surveys also showed that new account and other fraud victims spent a longer amount of time resolving their problems in the aftermath of their victimization in comparison to victims of existing account frauds (Harrell 2017 , 2019 , 2021 ; Harrell & Langton, 2013 ; Synovate, 2007 ). According to the 2006 FTC survey, the top 10% and 5% of victims spent more than 100 h and 1000 h respectively to resolve their problems (Synovate, 2007 ).
Other lower bias regression studies and higher quality qualitative studies included in this review support these descriptive findings from national surveys and further suggest other individual and situation-specific factors that can predict who is more likely to experience these negative outcomes (Betz, 2012 ; Golladay & Holtfreter, 2017 ; Pryor, 2009 ; Randa & Reyns, 2020 ). For instance, a qualitative study based on in-depth interviews with identity fraud victims showed that individuals who experienced identity fraud as a minor but discovered the victimization as an adult can experience negative emotional consequences and these consequences might be aggravated if the victims do not have support from law enforcement and their families (Betz, 2012 ). Another study by Golladay & Holtfreter based on the 2012 NCVS-ITS suggested that individuals who have prior victimization experiences and individuals who are not White might be more likely to experience a higher level of negative emotional consequences. Another low bias study by Randa and Reyns ( 2020 ) found that while being older, being a female, spending more time resolving the ramifications of victimization, and higher amount of net loss as a result of victimization were all correlated with higher distress level; being married and having a higher education level were correlated with less distress reporting. The authors (2020) similarly found that while the net monetary loss and the time to clear the incident were positively correlated with the level of negative physical outcomes experienced by the victims; education level and being married were negatively correlated with the level of negative physical outcomes.
Green et al. ( 2020 ) conducted qualitative analyses based on data from interviews with 16 individuals who contacted the ITRC after experiencing a serious identity fraud victimization (defined by authors as victims who experienced identity frauds other than existing credit card fraud and who contacted the ITRC). According to this study, among victims of serious identity fraud, victims of criminal identity fraud (and especially identity frauds involving government-based services) had the most complicated and time-consuming cases with the most substantial indirect economic and legal consequences and the majority of victims of serious identity frauds attempted to investigate their own cases (despite being discouraged to do so). The study further showed that victims who strictly follow the best practices to document in detail their interactions and conversations with others during the remediation process, experienced a significant time burden and had a hard time in managing their daily routines. This study suggested that the experiences of victims of serious identity frauds trying to prove their situations to legal authorities is similar to those of survivors of sexual assault (Green et al., 2020 ).
Other studies that were rated to have a high risk of bias due to issues with the sampling frame and size, nonresponse rate, and missing data nevertheless provided strong support for the findings on the negative emotional and physical outcomes, legal problems, time burden, and other problems faced by the victims in the aftermath of their victimization (see ITRC, 2005, 2007, 2008, 2009, 2010, 2014, 2015, 2017, 2018a, 2018b, 2021 ; Li et al., 2019 ; Ponemon Institute, 2011 , 2012 , 2013 , 2015 ).
Prevention, programs, and services
From the 52 studies included in this review, prevention of victimization and programs and services for victims was the least researched topic. Notably, all of the three articles included in the review under this topic were published between 2020 and 2021 and by the same group of authors.
One of these studies by Green et al. ( 2020 ), which was rated to have a moderate risk of bias, found that victims of serious identity fraud, despite the increasingly online nature of this crime, still use internet search engines as the main method to learn about remediation options. The authors further found that victims of serious identity fraud who expressed a higher level of satisfaction with services provided to them were individuals who had a representative from an organization whom they felt was a partner in their pursuit of recovery from their victimization.
Another study by Green et al. ( 2021 ), which was rated to have medium quality, explored the needs of identity fraud victims from the viewpoint of a diverse group of professionals providing services for identity fraud victims. An important finding from this study was that organizations serving identity fraud victims are not equipped to respond to the long-term needs of victims of synthetic identity fraud in which perpetrators generally combine real and fake identity information to create new identities and victims do not become aware of victimization for years. The study findings further suggested that the field need to better understand the relationship between data breaches and subsequent identity fraud victimization to better educate and provide services to individual victims based on the nature of the stolen personal information.
Another quantitative study by Gies et al. ( 2021 ) examined the effect of using services provided by the ITRC on experiences of serious identity fraud victims (defined by authors as victims of any identity fraud other than misuse of existing credit card). The authors combined data from the ITRC’s 2017 Aftermath Survey and the 2016 NCVS-ITS to compare experiences of three groups of victims of serious identity frauds that have been matched on key demographic variables: (1) respondents to the NCVS-ITS who did not report their victimization to any entity ( no report ), (2) respondents to the NCVS-ITS who reported their victimization to one or more entities and received standard services from these entities ( treatment as usual ), and (3) individuals who contacted the ITRC and received specialized services which involves receiving caring and compassionate advice from specially trained (trauma-informed) employees of the ITRC including a continuity of care upon request of the victim ( ITRC treatment ).
First, this study showed that individuals who contacted the ITRC had a longer time period between the victimization incident and the discovery of victimization and spent a longer amount of time resolving the incident. Accordingly, it is reasonable to argue that although the groups were matched on key variables, individuals in the ITRC treatment group had comparatively more serious cases of identity fraud victimization. The study found significant differences between the three groups regarding the key outcomes measured. The respondents in the ITRC treatment group reported significantly more general problems, financial problems, employment/educational problems, family/friend problems, and physical health problems and more money loss in comparison to the individuals in the no report and treatment as usual groups. This finding is not surprising considering the victims in the ITRC treatment group had a longer discovery time and spent more time dealing with the ramifications of their victimization. However, surprisingly, the victims in the ITRC treatment group reported fewer health problems as a result of their victimization experience than the individuals in the no report and treatment as usual groups. This finding provides support for the model of services provided by ITRC (i.e., the trauma-informed focus of these services and the continuity of care in the long term if requested by the victims). However, these findings should be interpreted carefully considering some limitations of this study (see Appendix 5 for a detailed description) including the cross-sectional nature of data collection on which this quasi-experimental study was based on.
For this study, 52 studies were reviewed for their results on different aspects of identity fraud victimization. So, what does this emerging literature on identity fraud tell us about identity fraud victimization and what we can do as researchers and practitioners to narrow the gaps in the existing literature and to better identify, reach, and serve victims and to prevent victimization?
Cross-sectional national data collection efforts show that the incidence and prevalence of identity fraud victimization increased over the years and the misuse of an existing account is the most common type of identity fraud victimization. However, national identity fraud surveys likely underestimate the number of victims due to underreporting, the discovery period of identity frauds, and exclusion of certain groups and from survey samples. There is a pressing need for further analysis of existing data and collection and analysis of new data to explore the following: (1) the prevalence of identity fraud victimization among minors, individuals in institutional settings, and individuals in transient living settings; (2) long-term prevalence of identity fraud victimization; (3) prevalence of victimization to detailed subcategories of new account and instrumental frauds; (4) disaggregated analysis of prevalence of attempted and successful identity frauds; (5) subnational trends in identity fraud victimization; and (6) prevalence of synthetic identity fraud victimization.
The reluctance of victims to report identity frauds in general, and to law enforcement and victim service organizations in particular, suggest a pressing need to educate the public, the law enforcement, and victim service providers about stages of identity theft, forms of identity theft, and seriousness of this crime. As discussed earlier identity theft and identity fraud are two terms that are used interchangeably although acquiring of information precedes the fraudulent acts committed with the acquired information and theft of information does not have a monetary harm (Gies et al., 2021 ). The lack of distinguishing between these two stages of identity theft and not knowing about different forms of identity theft might result in individuals not fully understanding the potential long-term harms of exposure of their personal information.
Furthermore, in addition to public’s reluctance to report identity fraud victimization to law enforcement; the often cross-jurisdictional nature of identity theft and fraud, the interrelatedness of identity theft with other crimes, the lack of knowledge about the perpetrator, and the frequent handling and investigation of financial frauds by financial agencies make it hard for law enforcement agencies to identify and record identity theft and even disincentivize them to handle identity theft cases (Newman & McNally, 2005 ). The reluctance of victims to report their victimization and the reluctance of law enforcement to respond the cases of identity theft can: reduce victims’ access to criminal justice processes, affect investigation and prosecution of these crimes, increase victims’ sense of helplessness, and reduce victims’ chances of accessing critical information and resources to prevent victimization and revictimization and recover from the aftermath of their victimization. Accordingly, there is a need for individuals, law enforcement, victim service providers, and policymakers to put as much emphasis on the acquisition of personal information as the subsequent frauds (Gies et al., 2021 ) and to better understand the nature of this crime including stages, types, victims, perpetrators, and consequences of identity theft and the evolving opportunity structure for identity theft.
The research evidence on the lower likelihood of identity fraud reporting among individuals who had negative interactions with law enforcement further suggest that there is a need for making it easier for victims to report their victimization, increasing public outreach to encourage reporting, commitment of leadership to a victim-centered approach, training of police officers on the nature of identity theft and fraud and different forms of identity fraud. However, similar to the experiences of victim service providers, budget limitations can prohibit local law enforcement from putting in place organizational inputs (such as establishing an identity theft unit, having victim advocates, and providing continuous training) to ensure these outcomes. Collaboration between federal and local law enforcement organizations in training of officers and increasing state funding for police departments to have cybercrime and identity theft units and employ identity theft analysts and investigators can lift some of these barriers. There is also a need to better educate the employees of banks and financial institutions about the nature of identity theft and to use this communication between identity theft victims and these organizations as an opportunity to direct victims to government and non-profit organizations specialized in helping identity theft and identity fraud victims.
Studies on risk factors of identity fraud victimization further show that risk factors for victimization vary by identity fraud types. Studies in this review further showed that people of color, individuals from lower socio-economic backgrounds, individuals with chronic identity fraud victimization experiences, and individuals with multiple identity fraud victimizations at a short amount of time in the near past might be more likely to experience more serious forms of identity fraud and might be at heightened risk of experiencing aggravated harms. However, these studies exclude critical groups and do not provide information about the risk factors for detailed subcategories of identity fraud such as various subcategories of instrumental frauds. The research on protective behavior of individuals against identity fraud is not conclusive and is not able to temporally differentiate the impact of protective behaviors on identity fraud victimization due to the cross-sectional design of studies. Longitudinal studies of protective behavior and more detailed data collection and analysis on risk factors for victimization can provide critical insight for public education about risk factors and targeting of this information through different means to groups at risk.
Longitudinal studies following identity fraud victims are also essential for reliably estimating the true impact of identity fraud victimization on victims and the effectiveness of services and programs offered to identity fraud victims. There is also a need to better distinguish the impacts of identity fraud victimization for detailed categories of identity fraud.
The overwhelming evidence on the differential impact of identity fraud for victims of different identity frauds and victims of different circumstances reiterate the importance of recognizing that not every identity fraud is the same and not every identity fraud victim will experience severe trauma and other negative consequences. Considering the limited funding and resources for victims of crime in general, and victims of identity frauds in particular, better identification of victims who are in need of extended services and triage of services and resources between different organizations are essential to provide holistic and long-term services to victims who are at highest risk to experience chronic victimization and aggravated harms as a result of their victimization.
The overwhelming lack of research on the impact of programs and services for identity fraud victims necessitates more attention from scholars and practitioners to study the impact of programs, interventions, and services for identity fraud victims on reporting of victimization, prevention of victimization, experiences of victims, and victim-centered cost benefit analysis of services. The empirical evidence on the more positive outcomes experienced by victims of identity fraud who have a meaningful and satisfactory experience with victim service professionals and who are receiving specialized services suggest the promising potential of trauma informed services and continuity of services for a specific group of victims experiencing more serious forms of identity frauds. However, more research is needed to identify which characteristics and components of specialized services that are more likely to produce positive outcomes for identity fraud victims.
Although phishing and vishing (i.e., voice phishing) has not been included in the scope of this review, another emerging important topic in relation to the understanding individuals’ vulnerability to identity fraud and other types of frauds is the use of artificial intelligence (AI) in fraudulent activities. Recently, the ITRC ( 2019 ) reported the first case of the use of artificial intelligence in AI-related fraud in which AI was used to impersonate the head of a German company to successfully request money from the CEO of the UK branch of the company.
Lastly, although this review focused on individual victims of identity fraud, and not organizational victims, considering the increasing number of data breaches; greater preventative efforts are required at the organizational level to secure operations, to fix vulnerabilities, and to better notify involved parties (FTC, 2022 ). Establishment of uniform data security and data breach notification standards across the US and federal enforcement of these standards can simultaneously reduce identity theft and identity fraud risk by targeting both collective and individual targets of identity theft.
The following search string was used in all databases with the exception of JSTOR: (“identity theft” OR “identity fraud” OR “social security fraud” OR “credit card fraud” OR “account fraud” OR “internet fraud” OR “cyber fraud”) AND (victim*). For JSTOR database the following truncated search string was used due to word limitations: ("identity theft" OR "identity fraud") AND (victim*). These search strings were applied to the title or abstracts of the sources included in these databases.
*Anderson, K. B. (2006). Who are the victims of identity theft? The effect of demographics. Journal of Public Policy & Marketing, 25 (2), 160–171.
Article Google Scholar
*Betz, A.E. (2012). The experiences of adult/child identity theft victims. (Unpublished doctoral dissertation). Iowa State University, Ames.
*Binette, J. (2004). AARP Oklahoma Legislative issues survey: identity theft. https://assets.aarp.org/rgcenter/post-import/ok_id_theft.pdf* . Accessed 5 Dec 2021.
*Burnes, D., DeLiema, M., & Langton, L. (2020). Risk and protective factors of identity theft victimization in the United States. Preventive Medicine Reports, 17 , 101058.
Article PubMed PubMed Central Google Scholar
*Burton, C. (2008). Consumer fraud: A 2008 survey of AARP Colorado members’ experiences and opinions . AARP Foundation.
Google Scholar
Button, M., Lewis, C., & Tapley, J. (2014). Not a victimless crime: The impact of fraud on individual victims and their families. Security Journal, 27 (1), 36–54.
Buzzard, J., & Kitten, T. (2021). Identity fraud study: Shifting angles”. https://www.javelinstrategy.com/research/2021-identity-fraud-study-shifting-angles . Accessed 5 Dec 2021.
*Copes, H., Kerley, K. R., Huff, R., & Kane, J. (2010). Differentiating identity theft: An exploratory study of victims using a national victimization survey. Journal of Criminal Justice, 38 (5), 1045–1052.
Copes, H., & Vieraitis, L. M. (2009). Bounded rationality of identity thieves: Using offender-based research to inform policy. Criminology & Public Policy, 8 (2), 237–262.
Copes, H., & Vieraitis, L. M. (2012). Identity thieves: Motives and methods . UPNE.
Cornish, D., & Clarke, R. V. (1986). The reasoning criminal: Rational choice perspectives on offending . Springer-Verlag.
Book Google Scholar
*Cornelius, D. R. (2016). Online identity theft victimization: An assessment of victims and non-victims level of cyber security knowledge (Doctoral dissertation, Colorado Technical University).
*DeLiema, M., Burnes, D., & Langton, L. (2021). The financial and psychological impact of identity theft among older adults. Innovation in Aging . https://doi.org/10.1093/geroni/igab043
*Dinger, E., & Sauer, J. (2006). Protecting your name: A survey of Montanans on identity theft. https://www.aarp.org/money/scams-fraud/info-2006/mt_id.html . Accessed 5 Dec 2021.
Dixon, P. & Barrett, T. (2013). Medical identity theft. Office for Victims of Crime’s National Identity Theft Network. https://www.youtube.com/watch?v=sOa6AWzHSEs . Accessed 5 Dec 2021.
Federal Trade Commission (FTC). (2004). FTC issues final rules on FACTA identity theft definitions, active duty alert duration, and appropriate proof of identity. https://www.ftc.gov/news-events/press-releases/2004/10/ftc-issues-final-rules-facta-identity-theft-definitions-active . Accessed 5 Dec 2021.
Federal Trade Commission (FTC). (2011). Stolen futures: A forum on child identity theft. https://www.ftc.gov/news-events/events-calendar/2011/07/stolen-futuresforum-child-identity-theft . Accessed 5 Dec 2021.
Federal Trade Commission (FTC). (2017). Identity theft: planning for the future, parts 1, 2, and 3. https://www.ftc.gov/news-events/audio-video/video/identity-theft-planning-future-part-1 . Accessed 5 Dec 2021.
Federal Trade Commission (FTC). (2018). Consumer sentinel network data book 2017. Washington, DC: Federal Trade Commission. https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2016/csn_cy-2016_data_book.pdf . Accessed 5 Dec 2021.
Federal Trade Commission (FTC). (2022). Data breach response: A guide for business. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business . Accessed 20 Dec 2022.
*Gies, S. V., Piquero, N. L., Piquero, A. R., Green, B., & Bobnis, A. (2021). Wild, wild theft: Identity crimes in the digital frontier. Criminal Justice Policy Review, 32 (6), 592–617.
*Golladay, K. A. (2017). Reporting behaviors of identity theft victims: An empirical test of Black’s theory of law. Journal of Financial Crime . https://doi.org/10.1108/JFC-01-2016-0010
*Golladay, K., & Holtfreter, K. (2017). The consequences of identity theft victimization: An examination of emotional and physical health outcomes. Victims & Offenders, 12 (5), 741–760.
Government Accountability Office (GAO). (2017). Identity theft services: services offer some benefits but are limited in preventing fraud. https://www.gao.gov/assets/690/683842.pdf . Accessed 5 Dec 2021.
*Gray, K. (2010). Internet identity theft: An insight into victimology and law enforcement response. (Unpublished doctoral dissertation). Capella University.
*Green, B., Gies, S., Bobnis, A., Leeper Piquero, N., Piquero, A. R., & Velasquez, E. (2021). Exploring identity-based crime victimizations: Assessing threats and victim services among a sample of professionals. Deviant Behavior, 42 (9), 1086–1099.
*Green, B., Gies, S., Bobnis, A., Piquero, N. L., Piquero, A. R., & Velasquez, E. (2020). The role of victim services for individuals who have experienced serious identity-based crime. Victims & Offenders, 15 (6), 720–743.
*Harrell, E. (2017). Victims of Identity Theft, 2014. Washington, DC: US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. https://www.bjs.gov/content/pub/pdf/vit14.pdf . Accessed 5 Dec 2021.
*Harrell, E. (2019). Victims of Identity Theft, 2016. Washington, DC: US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. https://www.bjs.gov/content/pub/pdf/vit16.pdf . Accessed 5 Dec 2021.
*Harrell, E. (2021). Victims of identity theft, 2018. Washington, DC: US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. https://www.bjs.gov/content/pub/pdf/vit16.pdf . Accessed 5 Dec 2021.
*Harrell, E., & Langton, L. (2013). Victims of identity theft, 2012. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. https://bjs.ojp.gov/content/pub/pdf/vit12.pdf . Accessed 5 Dec 2021.
*Holt, T. J., & Turner, M. G. (2012). Examining risks and protective factors of on-line identity theft. Deviant Behavior, 33 (4), 308–323.
*Holtfreter, K., Reisig, M. D., Pratt, T. C., & Holtfreter, R. E. (2015). Risky remote purchasing and identity theft victimization among older Internet users. Psychology, Crime & Law, 21 (7), 681–698.
Hoy, D., Brooks, P., Woolf, A., Blyth, F., March, L., Bain, C., Baker, P., Smith, E., & Buchbinder, R. (2012). Assessing risk of bias in prevalence studies: modification of an existing tool and evidence of interrater agreement. Journal of Clinical Epidemiology, 65 (9), 934–939.
Article PubMed Google Scholar
Irvin-Erickson, Y., & Ricks, A. (2019). Identity theft and fraud victimization: What we know about identity theft and fraud victims from research-and practice-based evidence. https://www.ojp.gov/ncjrs/virtual-library/abstracts/identity-theft-and-fraud-victimization-what-we-know-about-0 . Accessed 5 Dec 2021.
*ITRC. (2021). Identity theft: the aftermath study . Identity Theft Resource Center.
*ITRC. (2003). Identity theft: the aftermath 2003. https://www.idtheftcenter.org/images/page-docs/IdentityTheftTheAftermath2003.pdF . Accessed 5 Dec 2021.
*ITRC. (2005). Identity theft: the aftermath 2004. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2004.pdf . Accessed 5 Dec 2021.
*ITRC. (2007). Identity theft: the aftermath 2006. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2006.pdf . Accessed 5 Dec 2021.
*ITRC. (2008). Identity theft: the aftermath 2007. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2007.pdf . Accessed 5 Dec 2021.
*ITRC. (2009). Identity theft: the aftermath 2008. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2008.pdf . Accessed 5 Dec 2021.
*ITRC. (2010). Identity theft: the aftermath 2009. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2009.pdf . Accessed 5 Dec 2021.
*ITRC. (2014). Identity theft: the aftermath 2013. https://www.idtheftcenter.org/images/surveys_studies/Aftermath2013.pdf . Accessed 5 Dec 2021.
*ITRC. (2015). Identity theft: the aftermath 2014 https://www.idtheftcenter.org/images/surveys_studies/Aftermath2014FINAL.pdf . Accessed 5 Dec 2021.
*ITRC. (2017). Identity theft: the aftermath 2016. https://www.idtheftcenter.org/images/page-docs/AftermathFinal_2016.pdf . Accessed 5 Dec 2021.
*ITRC. (2018a). Identity theft: the aftermath 2017. https://www.idtheftcenter.org/images/page-docs/Aftermath_2017.pdf . Accessed 5 Dec 2021.
*ITRC. (2018b). The aftermath: the non-economic impacts of identity theft . Identity Theft Resource Center.
ITRC. (2019). First-ever AI fraud case steals money by impersonating CEO . Identity Theft Resource Center.
*Kpaduwa, F. I. (2010). Evaluation of residential consumers knowledge of wireless network security and its correlation with identity theft (Unpublished doctoral dissertation). University of Phoenix.
*Langton, L., & Planty, M. (2010). Victims of identity theft, 2008. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. https://bjs.ojp.gov/content/pub/pdf/vit08.pdf . Accessed 5 Dec 2021.
*Li, Y., Yazdanmehr, A., Wang, J., & Rao, H. R. (2019). Responding to identity theft: A victimization perspective. Decision Support Systems, 121 , 13–24.
*Marcum, C. D., Higgins, G. E., & Mackinnon, A. (2016). Identity theft reports of adolescents. Journal of Financial Crime . https://doi.org/10.1108/JFC-07-2015-0038
Mays, N., & Pope, C. (2020). Quality in qualitative research. In C. Pope & N. Mays (Eds.), Qualitative research in health care (pp. 211–233). Wiley.
Chapter Google Scholar
McNally, M. M., Newman, G. R., & Graham, C. (2008). Perspectives on identity theft (Vol. 23). Criminal Justice Press.
National Conference of State Legislatures, (2022). Security breach notification laws. https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx . Accessed 20 Dec 2022.
*Navarro, J. C., & Higgins, G. E. (2017). Familial identity theft. American Journal of Criminal Justice, 42 (1), 218–230.
Newman, G. R., & McNally, M. M. (2005). Identity theft literature review. https://www.ojp.gov/ncjrs/virtual-library/abstracts/identity-theft-literature-review . Accessed 5 Dec 2021.
Newman, G. R., & McNally, M. M. (2007). Identity theft: a research review. https://www.ojp.gov/ncjrs/virtual-library/abstracts/identity-theft-research-review . Accessed 5 Dec 2021.
Office for Victims of Crime (OVC). (2010). Expanding services to reach victims of identity theft and financial fraud. https://www.ovc.gov/pubs/ID_theft/pfv.html . Accessed 5 Dec 2021.
Pascual, A., Marchini, K., & Miller, S. (2018). 2 018 Identity fraud: fraud enters a new era of complexity. Javelin Strategy & Research.
Pierce, P. (2009). Identity theft. Office for victims of crime training and technical assistance center. http://www.ncdsv.org/images/OVCTTAC_IdentityTheftResourcePaper_2012.pdf . Accessed 5 Dec 2021.
*Ponemon Institute. (2011). Second annual survey on medical identity theft. https://www.experian.com/innovation/thought-leadership/medical-identity-theft-second-annual-survey.jsp . Accessed 5 Dec 2021.
*Ponemon Institute. (2012). Third annual survey on medical identity theft. https://www.ponemon.org/research/ponemon-library/security/?tag=38 . Accessed 5 Dec 2021.
*Ponemon Institute. (2013). 2013 survey on medical identity theft. https://www.ponemon.org/local/%20upload/file/2013%20Medical%20Identity%20Theft%20%20Report%20FINAL%2011.pdf . Accessed 5 Dec 2021.
*Ponemon Institute. (2015). Fifth annual study on medical identity theft. https://static.nationwide.com/static/2014_Medical_ID_Theft_Study.pdf?r=65#:~:text=The%20five%2Dyear%20growth%20rate,victim%20or%20non%2Dvictim%20status.&text=This%20year%20we%20collected%2051,victims%20after%20sampling%205%2C000%20trials . Accessed 5 Dec 2021.
*Pryor, W. J. (2009). When your identity gets hijacked: The victim’s experience of identity theft (un published doctoral dissertation) . California Institute of Integral Studies.
*Randa, R., & Reyns, B. W. (2020). The physical and emotional toll of identity theft victimization: A situational and demographic analysis of the National Crime Victimization Survey. Deviant Behavior, 41 (10), 1290–1304.
*Reynolds, D. (2020). The differential effects of identity theft victimization: How demographics predict suffering out-of-pocket losses. Security Journal . https://doi.org/10.1057/s41284-020-00258-y
*Reyns, B. W., Fisher, B. S., Bossler, A. M., & Holt, T. J. (2019). Opportunity and self-control: Do they predict multiple forms of online victimization? American Journal of Criminal Justice, 44 (1), 63–82.
*Reyns, B. W., & Randa, R. (2017). Victim reporting behaviors following identity theft victimization: Results from the National Crime Victimization Survey. Crime & Delinquency, 63 (7), 814–838.
*Sauer, J.H. (2005). Stealing your good name: a survey of Washington State residents 18+ on identity theft incidence and prevention. AARP Knowledge Management, AARP Research. https://www.aarp.org/money/scams-fraud/info-2005/stealing_your_good_name_a_survey_of_washington_sta.html . Accessed 5 Dec 2021.
*Sauer, J.H. (2010). Consumer fraud issues: survey of AARP members 50+ in West Virginia. AARP Knowledge Management, AARP Research. https://www.aarp.org/money/scams-fraud/info-03-2010/wva_fraud_10.html . Accessed 5 Dec 2021.
*Silberman, S.L. (2004). AARP minnesota identity theft survey: a study of residents 18+. AARP Knowledge Management, AARP Research. https://www.aarp.org/money/scams-fraud/info-2004/aresearch-import-927.html . Accessed 5 Dec 2021.
*Synovate. (2003). Federal Trade Commission—identity theft survey report. https://www.ftc.gov/sites/default/files/documents/reports/federal-tradecommission-identity-theft-program/synovatereport.pdf . Accessed 5 Dec 2021.
*Synovate. (2007). Federal Trade Commission—2006 identity theft survey report. https://www.ftc.gov/sites/default/files/documents/reports/federal-tradecommission-2006-identity-theft-survey-report-preparedcommission-synovate/synovatereport.pdf . Accessed 5 Dec 2021.
Tedder, K. & Buzzard, J. (2020). 2020 Identity fraud study: genesis of the identity fraud crisis. https://www.javelinstrategy.com/research/2020-identity-fraud-study-genesis-identity-fraud-crisis . Accessed 5 Dec 2021.
Turanovic, J. J., & Pratt, T. C. (2019). Thinking about victimization: Context and consequences . Routledge.
Vieraitis, L. M., Copes, H., Powell, Z. A., & Pike, A. (2015). A little information goes a long way: Expertise and identity theft. Aggression and Violent Behavior, 20 , 10–18.
Download references
Acknowledgements
I would like to thank the anonymous peer reviewers, Dr. Schumann, and Dr. Wortley for their thoughtful feedback on this manuscript. I would like to thank Alexandra Ricks for her contribution to the early stages of this project. I would like to thank Dr. David B. Wilson for sharing resources on assessments of quality of qualitative research. I would like to also thank Dr. Christopher Koper for his review of and thoughtful feedback on an earlier version of this article.
Author information
Authors and affiliations.
George Mason University, 354 Enterprise Hall, 4400 University Drive, MS 4F4, Fairfax, VA, 22030, USA
Yasemin Irvin-Erickson
You can also search for this author in PubMed Google Scholar
Contributions
The author conducted the review presented in this article and approved the final manuscript.
Corresponding author
Correspondence to Yasemin Irvin-Erickson .
Ethics declarations
Competing interests.
The author declares that she has no competing interests.
Additional information
Publisher's note.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Flow chart diagram of search results and identification of studies
Hoy et al. ( 2012 ) risk of bias tool
Note: If there is insufficient information in the article to permit a judgment for a particular item, please answer No (HIGH RISK) for that particular item.
- *All descriptive quantitative studies were evaluated based on items 1–5, 7(if necessary), and 8. Items 6, 9, and 10 were only used to assess the risk of bias within prevalence studies
Mays and Pope ( 2020 ) framework for assessing quality of qualitative studies
Quality/risk of bias evaluations and ratings for included studies, evaluation of quantitative studies.
This review adopted criteria from Hoy et al.’s ( 2012 ) risk of bias evaluation tool (see Appendix 2) to evaluate the risk of bias within quantitative studies. Hoy et al.’s ( 2012 ) risk of study bias assessment, similar to the GRADE approach, does not include a numerical rating but rather evaluates the overall risk of bias based on assessment of risk of bias of individual risk items (Hoy et al., 2012 ). Each quantitative study in this study was assigned into one of the following three categories based on an overall evaluation of risk of study bias based on this tool: low risk of bias, moderate risk of bias, or high risk of bias (see below for individual study ratings and Appendix 5 for bias/quality notes).
Evaluation of qualitative studies
Seventeen appraisal questions from Mays and Pope ( 2020 ) were used to evaluate the quality of qualitative studies based on the reporting of findings, study design, data collection, analysis, reporting, reflexivity and neutrality, ethics, and auditability of the studies (see Appendix 3). In this review, each qualitative study was allocated into one of the following three categories based on an overall evaluation of the study quality based on these 17 indicators: low quality, medium quality, or high quality (see below for individual study ratings and Appendix 5 for bias/quality notes).
Evaluation of mixed-method studies
For the only mixed-method study included in this review (see ITRC, 2003 ), the risk of bias and the study quality were evaluated separately for qualitative and quantitative elements of the study utilizing the frameworks by Hoy et al. ( 2012 ) and Mays and Pope ( 2020 ) (see below for individual study rating and Appendix 5 for bias/quality notes).
- *Studies that analyze data quantitatively were classified into one of the following three bias ratings: low risk of bias, moderate risk of bias, or high risk of bias
- **Studies that analyze data qualitatively were classified into one of the following three quality ratings: low quality, medium quality, or high quality
- ***For the only mixed-method study included in this review, results from qualitative and quantitative analysis were evaluated separately
Bias and quality assessment summary notes for included studies
Rights and permissions.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ . The Creative Commons Public Domain Dedication waiver ( http://creativecommons.org/publicdomain/zero/1.0/ ) applies to the data made available in this article, unless otherwise stated in a credit line to the data.
Reprints and permissions
About this article
Cite this article.
Irvin-Erickson, Y. Identity fraud victimization: a critical review of the literature of the past two decades. Crime Sci 13 , 3 (2024). https://doi.org/10.1186/s40163-024-00202-0
Download citation
Received : 11 August 2023
Accepted : 27 January 2024
Published : 10 February 2024
DOI : https://doi.org/10.1186/s40163-024-00202-0
Share this article
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative
- Identity theft
- Identity fraud
Crime Science
ISSN: 2193-7680
- General enquiries: [email protected]
An official website of the United States government
The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
- Publications
- Account settings
Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .
- Advanced Search
- Journal List
- Innov Aging
The Financial and Psychological Impact of Identity Theft Among Older Adults
Marguerite deliema.
1 University of Minnesota School of Social Work, Saint Paul, Minnesota, USA
David Burnes
2 Factor-Inwentash Faculty of Social Work, University of Toronto, Toronto, Ontario, Canada
Lynn Langton
3 Applied Justice Research Division, RTI International, Research Triangle Park, North Carolina, USA
Background and Objectives
Society’s growing reliance on technology to transfer private information has created more opportunities for identity thieves to access and misuse personal data. Research on identity theft specifically among adults aged 65 and older is virtually nonexistent, yet research focusing on victims of all ages indicates a positive association between age, minority status, and more severe economic and psychological consequences.
Research Design and Methods
Identity theft measures come from a sample of more than 2,000 self-reported victims aged 65 and older from the nationally representative National Crime Victimization Survey Identity Theft Supplements administered in 2014 and 2016. Regression was used to examine how socioeconomic status, demographic characteristics, and incident-specific factors relate to how much money is stolen, the likelihood of experiencing out-of-pocket costs, and emotional distress among older identity theft victims.
Older Black identity theft victims were more likely to have greater amounts of money stolen and were more likely to feel distressed by the incident than older White victims. The most disadvantaged older adults living at or below the federal poverty level were significantly more likely to suffer out-of-pocket costs. The length of time information was misused, experiencing subsequent financial problems and problems with friends/family, and the hours spent resolving identity theft were positively associated with emotional distress. Among those aged 65 and older, age was not significantly associated with losses or emotional distress.
Discussion and Implications
Older adults living in poverty need more resources to assist with recovery and reporting identity theft to law enforcement. Limiting the extent of losses from identity theft and reducing the length of time information is misused may reduce the emotional toll of identity theft on older victims.
Translational Significance: More than 7% of older adults are victims of identity theft each year, and a third experience moderate to severe emotional distress following the incident. We find that victims who can least afford it suffer out-of-pocket costs, and that Black and female victims are more likely to report distress. Victim service organizations should pay special attention to these groups and individuals who lack the social capital to advocate for their financial recovery. Greater psychological support is needed to help older adults recover, in addition to training on how to protect their information from future misuse.
There is a growing body of research on the predictors and consequences of financial victimization of older adults. Existing research focuses primarily on two types of victimization—financial abuse/exploitation (a form of elder abuse), in which the perpetrator occupies a position of expected trust like a friend, family member, or caregiver ( Hall et al., 2016 ); and financial fraud and scams, where a stranger uses a false promise or fabricated threat to deceive the victim into paying money ( DeLiema, 2018 ). Limited research to date has examined the impact of the third form of financial victimization—identity theft—on older adults, despite the increasing prevalence of this serious crime ( Harrell, 2019 ).
Identity theft is the intentional, unauthorized use of a person’s identifying information for unlawful purposes ( Federal Trade Commission [FTC], 1998 ). It includes infiltration into a person’s existing accounts, using a person’s identity to open new accounts, or using personal information to obtain instrumental goods and services such as health care and public benefits ( Harrell, 2019 ). Similar to financial fraud, the vast majority of identity theft victims do not have a preexisting personal relationship with the perpetrator. Yet unlike fraud, most incidents do not involve a direct exchange of information or payment. Rather, identifying information is taken and used without the victim’s knowledge or consent, such as through a data breach or malware attack.
Prior research demonstrates that victims experience severe monetary and nonmonetary consequences following financial victimization. Fraud victims report feeling embarrassed and ashamed, angry, stressed, and anxious, with some reporting depression and strained relationships with family and friends ( Button et al., 2014 ; Financial Institution Regulatory Authority 2015 ). Sharp et al. (2003) found that maladaptive psychological and somatic symptoms increased post identity theft victimization. Longitudinal research has demonstrated that elder mistreatment, including financial exploitation, is associated with increased risks of poor mental and physical health outcomes ( Acierno et al., 2017 ), hospitalization ( Dong & Simon, 2013 ), and mortality ( Lachs et al., 1998 ).
Negative financial, social, and emotional outcomes may be more prevalent and severe among older retired victims who lack employment opportunities to make up their losses or who are unable to navigate the process of resolving the incident with financial institutions and credit bureaus. Additionally, because older generations have relatively greater wealth than younger generations ( Gale et al., 2020 ), they may experience higher levels of theft. Indeed, consumer fraud reports indicate that adults in their 80s experience 3–4 times higher median losses per scam ($1,600) than adults aged 20–49 ( FTC, 2020 ).
Using data from 2012 and 2014 National Crime Victimization Survey (NCVS) Identity Theft Supplements (ITS), Burnes et al. (2020) showed that baby boomers were significantly more likely than millennials to be victims of identity theft. Results from the 2016 ITS show that older adults suffered an estimated $2.5 billion in financial losses ( Harrell, 2019 ). In addition to direct losses, other costs include financial and legal troubles and ruined credit. These consequences may be more severe for older adults with physical or cognitive impairments that make it difficult to contact multiple credit bureaus and financial institutions to report identity misuse. Older adults also have lower knowledge of cybersecurity practices to safeguard their identities from continued misuse ( Nicholson et al., 2019 ).
Several recent studies have examined the financial, psychological, and health consequences of identity theft among U.S. adults of all ages. The 2016 NCVS–ITS shows that 12% of victims experienced out-of-pocket costs, with average losses of $690 ( Harrell, 2019 ). Reynolds (2020) found that unmarried victims and those with lower incomes and educational attainment were significantly more likely to experience out-of-pocket costs following identity theft, as were Hispanic/Latino respondents. Age was positively associated with out-of-pocket costs for incidents that involved misuse of bank account information. Reynolds (2020) also found that the risk of out-of-pocket costs differed by the type of identity theft, such that those who experienced misuse of credit card information were significantly more likely to be reimbursed than victims of bank account identity theft.
Using data from the 2012 NCVS–ITS, Randa and Reynes (2020) examined the predictors of emotional distress among all adults. Thirty-two percent of victims reported that the identity theft incident caused them moderate to severe distress. Older adults were significantly more likely to report distress, as were women and those with lower household incomes. The time spent resolving the incident with credit bureaus and financial institutions was also positively related to distress. Using the same data, Golladay and Holtfreter (2017) examined the emotional and physical consequences following identity theft victimization. Similarly, they found that older adults, minorities, and those who suffered higher losses reported an increasing number of emotional consequences—worry/anxiety, anger, depression, vulnerability, feeling unsafe, confused, violated, etc. There was also a negative association between emotional consequences and socioeconomic status, suggesting that those who are better off financially suffer less in the aftermath of victimization.
Study Purpose
The current body of research suggests that identity theft victimization has a disproportionate negative impact on older adults and low-income people, but no studies have specifically examined the correlates of financial and psychological consequences among older victims. Using combined data on victims from the 2014 and 2016 NCVS–ITS, we examine how socioeconomic status, demographic characteristics, and other incident-related factors relate to the total amount stolen, out-of-pocket costs, and emotional distress among victims aged 65 and older, controlling for the type of identity theft experienced. Results offer insight into what groups are in greatest need of resources for emotional support and financial recovery, as well as greater identity protection.
This study is restricted to respondents aged 65 and older who reported identity theft victimization occurring in the past 12 months in the 2014 and/or 2016 NCVS–ITS survey ( N = 2,513). These cross-sectional ITS surveys were administered during 6-month periods in each of the years and are consistent in survey content and methodology. They were combined for additional statistical power and more robust estimates. The ITS is administered to respondents aged 16 and older at the end of their NCVS interview using computer-assisted personal interviewing or computer-assisted telephone interviewing. Respondents are asked whether they have experienced different types of misuse of identifying information during the prior year. Those who answer affirmatively are asked to think about the most recent incident and answer more detailed, incident-specific questions about the nature and consequences of the experience.
The current study focuses specifically on the aftermath of identity theft victimization (not attempted identity theft) where the older victim was not in a trust relationship with the perpetrator (financial abuse) and did not willingly provide their personal information to the perpetrator in response to a scam solicitation (fraud). Respondents are asked how long their information was misused before they discovered the identity theft. Those who selected “Not applicable, not actually misused” (i.e., attempted identity theft) were removed from the sample ( n = 50, 1.9%). Victims who experienced identity theft resulting from a scam (i.e., stated that the incident occurred after they responded to a scam email/phone call [ n = 45, 1.7%]) were also excluded. Although the vast majority of respondents did not know the identity of the perpetrator (93%), those who did and reported that it was a relative, caregiver, or someone working in the home, housemate, friend, or neighbor ( n = 68, 2.5%) were excluded to avoid overlap with the definition of financial exploitation/abuse by a trusted individual.
The broader NCVS study uses a two-stage, stratified cluster sample design representing U.S. residents living in housing units or group quarters. The overall NCVS–ITS unit response rate was 66% in 2014 and 61% in 2016. Selection bias analysis found little or no bias to ITS estimates due to nonresponse ( US Department of Justice, 2014 , 2016 ). Data were weighted to reflect a nationally representative sample in regard to age, gender, and race/ethnicity and to compensate for survey nonresponse and aspects of the staged sampling design. Further details on NCVS–ITS methods and the survey instruments can be found at https://bjs.ojp.gov/ .
Dependent Variables
Total amount stolen.
Respondents reported how much money (in dollars) identity thieves initially obtained in the incident, regardless of whether these losses were ultimately recovered or reimbursed. In nearly a third of the incidents, identity thieves did not obtain any money, but among those who had money stolen, median losses were $200.00 and mean losses were $1,111.04 (standard deviation [ SD ] = 4,877.70). Based on the distribution, values were recoded into four categories: $0 (reference category; 30% of total), $1–100 (25%), $101–500 (21%), and $501 and greater (17%). Approximately 7% ( n = 201) of victims did not know how much money was stolen and were excluded from this analysis.
Out-of-pocket costs
Out-of-pocket costs are monetary losses that are not reimbursed or recovered following victimization. Because only 7% of older victims experienced out-of-pocket costs, this variable is treated as dichotomous where 0 = no loss and 1 = any loss. Of those who experienced an out-of-pocket cost ( n = 161), the median loss amount is $200.00 with a mean of $1,453.47 ( SD = 9,854.13). Those who did not know whether they suffered out-of-pocket costs (8%) were excluded from this analysis ( n = 209).
Emotional distress
On a 4-point Likert scale, respondents were asked to rate how distressing the misuse of their personal information was to them. Responses included “not at all distressing,” “mildly distressing,” “moderately distressing,” and “severely distressing.” Following the convention used in prior studies ( Golladay & Holtfreter, 2017 ; Randa & Reynes, 2020 ), the item was dichotomized such that those who rated their distress as moderate or severe were coded as “1” (34%).
Independent Variables
Types of identity misuse.
Because the likelihood of being reimbursed or having funds recovered varies based on the nature of identity theft, types of identity misuse were divided into five categories based on how the respondent answered the ITS victimization screening questions. The reference category is existing credit card account : “During the past 12 months, has someone used or attempted to use one or more of your existing credit cards without your permission?” (yes = 1). Other existing accounts include respondents who said yes to one or both of the following questions: “Has someone, without your permission, used or attempted to use your existing checking or savings account, including any debit or ATM cards?” (yes = 1), and/or “Has someone misused or attempted to misuse another type of existing account such as your telephone, cable, gas or electric accounts, online payment accounts like Paypal, insurance policies, entertainment account like iTunes, or something else?” Before answering the items on existing bank account and credit card identity theft, respondents were first asked if they owned either of these accounts. If not, that particular item was skipped. New accounts identity theft was measured using the question: “Has someone, without your permission, used or attempted to use your personal information to open any NEW accounts such as wireless telephone accounts, credit card accounts, loans, bank accounts, online payment accounts, or something else?” (yes = 1). The fourth category is instrumental identity theft that was measured using the following item: “Has someone used or attempted to use your personal information for some other fraudulent purpose, such as filing a fraudulent tax return, getting medical care, applying for a job or government benefits; giving your information to the police when they were charged with a crime or traffic violation, or something else?” (yes = 1). Multiple types of identity theft were defined as a single incident of information exposure (e.g., a stolen wallet) that results in the multiple types of identity theft as described in the categories above.
Socioeconomic indicators
Educational attainment was coded as 0 = less than high school, 1 = high school or GED equivalent, 2 = some college/Associate degree, and 3 = Bachelor’s degree or higher. Percent of federal poverty level (FPL) was an ordinal variable that measured a respondent’s household income as a percentage above, at, or below the FPL as determined by the U.S. Department of Health and Human Services. It is a more robust measure than simply using household income because it takes into account the household size. Harrell et al. (2014) provide additional information on how this measure was calculated.
Demographic characteristics
Age was coded continuously. Race was coded as 0 = White, non-Latino; 1 = Black/African American, non-Latino; 2 = Latino; 3 = other race/ethnicity, non-Latino. Sex was 1 = female. Marital status was 1 = married.
Incident-specific factors
Respondents were asked whether they experienced banking and/or credit problems following identity theft and if they were successful in clearing up the financial and credit issues associated with the misuse of their information. Those who said “yes” were coded as 1 = incident resolved. Time to discovery measured how much time passed between when the victim’s information was misused and when they discovered the misuse, where 0 = one day or less, 1 = more than a day but less than a week, 2 = at least a week, but less than 1 month, 3 = 1 month to less than 6 months, 4 = 6 months or more, and 5 = unknown. Time to resolve was measured continuously as the number of hours it took the victim to clear up any financial and/or credit problems associated with identity theft. Respondents were asked if the incident caused them to have significant problems with family members or friends, including getting into more arguments or fights, not feeling they could trust them as much, or not feeling as close to them as before ( Subsequent problems with family/friends ; 1 = yes). They were also asked if they experienced any credit-or banking-related problems as a result of identity theft, such as being turned down for a line of credit, a loan, or a checking account; having to pay a higher interest rate; or having checks bounce ( Subsequent financial and/or credit problems ; 1 = yes). They were also asked if they contacted a bank, credit card company, or other financial institution following the incident ( Contacted financial institution ; 1 = yes). This behavior may also affect whether the victim was able to recover all or a portion of their stolen funds or reverse unapproved charges. Multiple ID theft incidents measured whether the victim experienced other separate incidents of identity theft within the past 12 months (1 = yes), and prior victimization measured whether the respondent experienced identity theft victimization occurring prior to the past 12 months (1 = yes).
Population weights were applied in all analyses. Models were analyzed in SPSS 25 using complex samples procedures to account for the address-based sampling design of the NCVS. Using ordinal regression, the total amount stolen was regressed on demographic and socioeconomic victim characteristics ( N = 2,307). The four levels of the dependent variable were $0 stolen (reference), $1–100, $101–500, and $501 or more. Additional independent variables included the type of identity theft (existing credit card = reference) and whether the victim contacted their financial institution to report the incident. Using logistic regression, out-of-pocket costs were regressed on the same demographic and socioeconomic characteristics, as well as the type of identity theft and whether the victim contacted their financial institution following the incident ( N = 2,302).
In a final logistic regression, emotional distress was regressed on demographic and socioeconomic characteristics, type of identity theft, and other incident-specific factors ( N = 2,160). These additional factors included banking and/or credit problems = 1, incident resolved = 1, time to discovery (ordinal), hours spent resolving incident (continuous), subsequent problems with friends/family = 1, subsequent financial and/or credit problems = 1, multiple identity theft incidents = 1, and prior identity theft victimization = 1. The sample size dropped due to missing responses on the additional independent variables.
Sample Characteristics
Table 1 presents sample characteristics. Approximately half of the identity theft victims surveyed were female (51%) and 65% were married. The mean age was 72 years. Forty-four percent of victims had a bachelor’s degree or higher. The majority lived in a suburban environment (56%), followed by urban (28%) and rural (16%). Eighty-eight percent were White (non-Latino), 5% were Black, and 4% were Latino. In 2016, the federal poverty threshold for a two-person household was an annual household income of less than $16,000. Five percent of older identity theft victims in this sample were at or below 100% FPL (adjusted for their household size), whereas 36% were at or above 501% FPL.
Weighted Sample Characteristics
Total Amount Stolen
Few victim characteristics were associated with the total amount of money stolen (Model 1, Table 2 ). However, older Black victims of identity theft were more likely to have higher dollar amounts stolen than older White victims (odds ratio [OR] = 1.50, 95% confidence interval [CI] = 1.08–2.07, p = .016). Victim age, sex, educational attainment, marital status, area of residence, and poverty level were not associated with the amount stolen. Type of identity theft reported was significant such that experiencing multiple types of identity theft was related to increasing amounts of money stolen relative to existing credit card identity theft (OR = 1.59, 95% CI = 1.11–2.27, p = .012). Amount stolen was negatively associated with contacting a financial institution (OR = 0.41, 95% CI = 0.28–0.61, p < .001), meaning that having less money stolen decreases the odds of contacting a financial institution by nearly 60%.
Factors Associated With Increasing Amounts of Money Stolen and Out-of-Pocket Costs Following Identity Theft
a Incorporates household size.
Out-of-Pocket Costs
As given in Model 2, Table 2 , more socioeconomic and demographic characteristics were associated with out-of-pocket costs, which are financial losses that are not reimbursed by financial institutions or recovered by victims. Older victims who identified as single (divorced, widowed, separated, never married) were significantly less likely than older married victims to have out-of-pocket costs (OR = 0.54, 95% CI = 0.34–0.84, p = .007). In addition to experiencing significantly higher amounts stolen, older Black victims showed a trend ( p < .1) toward being more likely to experience out-of-pocket costs (OR = 1.86, 95% CI = 0.90–2.84, p = .09). Victims who identified their race as “other,” which includes the categories of Asian, Pacific Islander, and Indigenous, were significantly more likely to suffer out-of-pocket costs than older White victims (OR = 3.60, 95% CI = 1.69–7.67, p = .001). Those living at or below the FPL (0–100% FPL) were significantly more likely to experience out-of-pocket costs relative to those living at 501% or more FPL (OR = 4.93, 95% CI = 2.50–9.73, p < .001). Relative to those who reported existing credit card identity theft, those who reported other existing account identity theft were significantly less likely to suffer out-of-pocket costs (OR = 0.54, 95% CI = 0.35–0.83, p = .005), suggesting that this type of identity theft is less likely to involve financial losses. Victim age, sex, educational attainment, and urbanicity were not significantly associated with out-of-pocket costs. Unlike the total amount stolen, whether the victim contacted their financial institution was not significant for out-of-pocket costs.
Emotional Distress
Table 3 presents the results of emotional distress regressed on victim demographic and socioeconomic characteristics, along with incident-related factors that may affect psychological outcomes following victimization. Female victims were 40% more likely to report distress than male victims (OR = 1.40, 95% CI = 1.13–1.74, p = .002). Relative to older White victims, older Black victims were 76% more likely to experience emotional distress (OR = 1.76, 95% CI = 1.14–2.70, p = .010), and those who identified their race/ethnicity as “other” were 46% less likely to report distress (OR = 0.54, 95% CI = 0.30–0.96, p = . 034).
Factors Associated With Emotional Distress Following Identity Theft ( N = 2,160)
Victims who suffered out-of-pocket costs were 87% more likely to report emotional distress relative to those with no out-of-pocket costs (OR = 1.87, 95% CI = 1.11–3.14, p = .018). Even after controlling for out-of-pocket costs, those who had between $101 and $500 stolen were 38% more likely to feel distressed (OR = 1.38, 95% CI = 1.02–1.87, p = .038), and those who had $501 or more stolen were two and a half times as likely to feel distressed (OR = 2.46, 95% CI = 1.76–3.44, p < .001) compared to those who had no money taken. Other existing account identity theft was negatively associated with experiencing distress (OR = 0.69, 95% CI = 0.53–0.89, p = .004). Relative to those who discovered their identity had been misused within the same day of the theft, those who discovered it a week to 1 month later were 58% more likely to feel distressed (OR = 1.58, 95% CI = 1.18–2.14, p = .003), and those who did not discover the incident until 1 month to 6 months later were more than twice as likely to feel distressed (OR = 2.21, 95% CI = 1.53–3.18, p < .001), although discovering the incident more than 6 months later had no effect. Experiencing multiple incidents of identity theft within the same year was also significantly associated with distress (OR = 1.41, 95% CI = 1.10–1.81, p = .007). Older victims who reported that identity theft led to subsequent financial and credit problems were 94% more likely to experience emotional distress (OR = 1.94, 95% CI = 1.02–3.71, p = .045), and those who stated that the incident negatively affected their relationships with friends and/or family members were 11 times more likely to report moderate to severe emotional distress (OR = 11.59, 95% CI = 2.31–58.16, p = .003).
This is the first study to examine the financial and psychological outcomes of identity theft among older adult victims. Although only 7% of older victims experience out-of-pocket costs associated with identity theft, 34% describe the experience as moderately to severely distressing, indicating that the harm resulting from personal information misuse extends beyond direct financial losses.
Incident-specific factors are important contributors to distress. The more money that is stolen from the victim during the incident, the greater the odds of emotional distress, regardless of whether losses are recovered or reimbursed. Also, the longer information is misused before the crime is discovered, the more subsequent financial and credit problems, and the more hours spent resolving the incident, the greater the likelihood of distress. Our findings reflect results from a smaller survey of a few hundred adult victims that found that the magnitude of financial loss, the duration of misuse of personal information, and the amount of time spent resolving the effects of the crime are all factors that increase perceived distress ( Li et al., 2019 ).
Beyond incident-specific characteristics, we find that older Black victims and older female victims are significantly more likely to report emotional distress, controlling for other demographic and socioeconomic characteristics. Prior work using the ITS shows that minorities experience higher levels of distress than Caucasian individuals ( Golladay & Holtfreter, 2017 ), and Burnes et al. (2020) found that Black respondents were 58% more likely to report instrumental identity theft relative to other race and ethnic groups. This subtype of identity theft may be particularly stressful for victims because it involves using the victim’s personal identity to obtain benefits and services that the victim is entitled to, such as health care, tax refunds, and enrollment in government programs. The higher prevalence of instrumental identity theft in Black communities may help account for their higher levels of distress, although this type of identity theft was not significantly associated with distress in the current models.
Older Black victims were also more likely to have increasing amounts of money stolen relative to older White victims, although there were no statistically significant differences in out-of-pocket costs. Rather, those who are Asian, Pacific Islander, Indigenous, mixed race, or other race/ethnicity were more likely to suffer out-of-pocket costs. Controlling for out-of-pocket costs, this group was counterintuitively less likely to report emotional distress following the incident. More research is needed to better understand the relationship between identity theft and distress among older adults who belong to these minority groups.
We find that the poorest older Americans are more likely to suffer out-of-pocket costs. Specifically, relative to the wealthiest victims aged 65 and older, those who live at or below the FPL are nearly 5 times as likely to bear a financial burden following the incident, even after accounting for the type of identity theft and whether the victim contacted their financial institution. Consistent with findings from the general U.S. adult population ( Copes et al., 2010 ; Reynolds, 2020 ), our results illustrate the importance of social and economic capital in addressing identity theft incidents. To resolve identity theft, the FTC recommends that victims contact their financial institutions or the company involved in the incident, change their passwords, request that money be reimbursed or charges reversed, contact all three credit bureaus to place fraud alerts, and report the incident to authorities. Depending on the severity of the incident, victims may also need to place a freeze on their credit, write to credit bureaus to request corrections to their credit reports, close unauthorized new accounts, write to debt collectors explaining the situation, report to the Social Security Administration, and replace government-issued IDs. These tasks can place a tremendous burden on low-income older adults, many of whom lack access to broadband internet, supportive ties who can advocate on their behalf, or the knowledge and wherewithal to negotiate with powerful financial institutions. Research is needed to determine whether wealthy and/or White older adults are treated differently by their financial institutions when they report identity theft, and whether they are more likely to have account safeguards in place or a client/customer status that helps keep their information safe.
This is the first study to show the negative impact of identity theft on social relationships after controlling for other victim and incident-level characteristics. Maintaining strong positive social and emotional relationships is critical for health and well-being in later life ( Cho et al., 2015 ; Litwin & Shiovitz-Ezra, 2011 ). Findings here illustrate that victims who reported that identity theft caused significant problems with family members or friends were 12 times as likely to experience emotional distress, suggesting that identity theft can have severe ramifications for older adults’ well-being. Qualitative research is needed to understand how identity theft victimization leads to relationship discord. One possibility is that family members blame the older victim for the incident, assuming that they did not keep their personal information secure or that they waited too long to take action. Victim blaming is common in fraud and is likely a driver of low rates of reporting ( Cross, 2015 ; Cross et al., 2016 ). Future studies are needed to understand the role that family and friends play in helping victims recover from identity theft. Family participation in working to protect an older adult from identity crimes, such as providing account oversight and coaching on cybersecurity practices, may be a critical factor in keeping them safe against future victimization.
Implications and Future Research
Findings suggest that limiting the extent of losses and reducing the length of time information is misused prior to detection may reduce the emotional toll of identity theft. Older adults in particular should increase surveillance of their identifying information by using identity protection software, two-step authentication features, signing up for credit alerts, and applying low spending limits on credit cards. Other personal protection behaviors, such as routinely changing passwords, making passwords complicated and varying them for each account, monitoring financial transactions, and locking up or shredding documents, are also important for preventing identity theft. Future research should examine the impact of these identity protection behaviors specifically among older adults. Moreover, this study excluded many older adults who experienced attempted identity theft. Using NCVS–ITS data, additional research may explore how these individuals differ from victims, particularly in regards to their identity protection behaviors.
Given that the length of identity misuse is strongly related to emotional distress, financial institutions should act swiftly to stop suspicious transactions before charges can escalate, and organizations should not delay in informing their customers, employees, and law enforcement of data breaches that involve personal or payment information. Unfortunately, Lacey and Cuganesan (2004) report that a minority of organizations report possible data breaches to law enforcement agencies, indicating that consumers also fail to learn about potential information exposure.
Like identity theft, very little research has been done to examine the outcomes of fraud victimization on older adults. To that end, the Bureau of Justice Statistics recently released a new fraud supplement that assesses the prevalence of different types of fraud. The questionnaire includes information on the amount lost and the emotional impact on victims. Although the amount varied by scam type, victims lost an average of $700 per incident and 53% reported socioemotional problems as a consequence of victimization ( Morgan, 2021 ). Future research should compare how the outcomes of fraud victimization compare to the outcomes of identity theft, and whether Black and female victims also experience higher levels of emotional distress.
Some research has explored how identity theft might affect consumers’ trust in the marketplace, particularly their confidence and willingness to engage in online transactions ( Chakraborty et al., 2016 ; Roberts et al., 2013 ). Avoiding the transfer of personal information online is near impossible in today’s society, as most companies and government agencies rely on the internet to do business with consumers. Future research should examine how identity theft victimization affects older consumers’ trust in government agencies and other institutions, and whether it affects online shopping and sharing of personal information in online environments.
The coronavirus pandemic has created new risks of identity theft as many older adults have turned to the internet to meet their shopping, banking, and even health care consultation needs. While the NCVS–ITS data used in this study were collected prior to the pandemic, it should be noted that identity theft was prevalent following the steep rise in joblessness that disproportionately affected low-income and minority workers. International criminals filed for U.S. unemployment benefits using the stolen identities of American citizens, siphoning off approximately $36 billion from the program, or 10% of all funds expended for unemployment benefits under the CARES Act ( Office of the Inspector General, 2020 ). It is unknown how these crimes affected older adults in particular, and whether they have influenced older adults’ confidence in exchanging personal information with the government.
Limitations
Although the ITS is one of the most comprehensive sources of data on identity theft, the survey excludes individuals with severe cognitive impairment and those who live in institutional settings (e.g., psychiatric care, long-term care, nursing homes). The impacts of identity theft on these vulnerable older adults are not known, although victim research on fraud indicates that cognitive decline and dementia are correlates of increased risk ( Boyle et al., 2019 ).
Unfortunately, the ITS does not include measures of whether older adults may be experiencing cognitive decline or other mental or physical health conditions that could affect distress and the ability to recover losses. Moreover, the ITS uses a 1-year reference period and it may be difficult for older victims with cognitive impairment to accurately remember details of the incident and how they felt about it. Identity theft is an unusual crime in that the consequences, such as diminished credit scores or unexplained credit card charges, may be overlooked by some victims and therefore underreported.
Although the survey has relatively high response rates and no strong evidence of bias, it is possible that older adults who refuse to participate in the NCVS or the ITS may be more reluctant to provide personal information in a survey because they have experienced identity theft previously. This would mean that more victims in the nonresponse group are not represented in the data.
Emotional distress was measured as a single item and was recoded from four levels into a dichotomous variable. Although this has been the convention used in prior studies ( Golladay & Holtfreter, 2017 ; Randa & Reynes, 2020 ), a binary treatment reduces information and may conceal nonlinear relationships between distress and other variables. To test for differences in effects, we performed a post hoc ordinal regression. Emotional distress (four levels) was regressed on the same independent variables. Only two substantive differences emerged: Victims of other race/ethnic backgrounds were no longer significantly less likely to experience distress relative to non-Hispanic White victims ( p = .318) and experiencing more than one separate incident of identity theft within the past year was only marginally associated with distress ( p = .066). Future research should consider using a more comprehensive, multi item measure of distress.
Findings from this study largely align with studies that examine the impact of identity theft victimization on adults of all ages, although older adults may present additional vulnerabilities, such as cognitive decline and isolation, which could increase their risk of serious outcomes. New programs and services are needed to help older victims recover, with a particular focus on low-income people and those who lack the ability to advocate for themselves. Advocates may assist older victims with contacting multiple financial institutions and credit bureaus, filing complaints, and freezing their credit. Additional services might include victim support groups and other psychological resources, as well as information for family caregivers on how to support older victims. Future research should assess whether cybersecurity training can help older adults secure their identity information and reduce their risk of future identity crimes.
The research reported herein was performed pursuant to a grant from the U.S. Social Security Administration (SSA) funded as part of the Retirement and Disability Consortium through the University of Wisconsin Center for Retirement Security, project number WI21-11. The opinions and conclusions expressed are solely those of the author(s) and do not represent the opinions or policy of SSA or any agency of the Federal Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of the contents of this report.
Conflict of Interest
The authors have no conflicts of interest to report.
- Acierno, R., Hernandez-Tejada, M. A., Anetzberger, G. J., Loew, D., & Muzzy, W. (2017). The national elder mistreatment study: An 8-year longitudinal study of outcomes . Journal of Elder Abuse & Neglect , 29 ( 4 ), 254–269. doi: 10.1080/08946566.2017.1365031 [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Boyle, P. A., Yu, L., Schneider, J. A., Wilson, R. S., & Bennett, D. A. (2019). Scam awareness related to incident Alzheimer dementia and mild cognitive impairment: A prospective cohort study . Annals of Internal Medicine , 170 ( 10 ), 702–709. doi: 10.7326/M18-2711 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Burnes, D., DeLiema, M., & Langton, L. (2020). Risk and protective factors of identity theft victimization in the United States . Preventive Medicine Reports , 17 , 101058. doi: 10.1016/j.pmedr.2020.101058 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Button, M., Lewis, C., & Tapley, J. (2014). Not a victimless crime: The impact of fraud on individual victims and their families . Security Journal , 27 ( 1 ), 36–54. doi: 10.1057/sj.2012.11 [ CrossRef ] [ Google Scholar ]
- Chakraborty, R., Lee, J., Bagchi-Sen, S., Upadhyaya, S., & Rao, H. R. (2016). Online shopping intention in the context of data breach in online retail stores: An examination of older and younger adults . Decision Support Systems , 83 , 47–56. doi: 10.1016/j.dss.2015.12.007 [ CrossRef ] [ Google Scholar ]
- Cho, J., Martin, P., & Poon, L. W.; Georgia Centenarian Study. (2015). Successful aging and subjective well-being among oldest-old adults . The Gerontologist , 55 ( 1 ), 132–143. doi: 10.1093/geront/gnu074 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Copes, H., Kerley, K. R., Huff, R., & Kane, J. (2010). Differentiating identity theft: An exploratory study of victims using a national victimization survey . Journal of Criminal Justice , 38 ( 5 ), 1045–1052. doi: 10.1016/j.jcrimjus.2010.07.007 [ CrossRef ] [ Google Scholar ]
- Cross, C. (2015). No laughing matter: Blaming the victim of online fraud . International Review of Victimology , 21 ( 2 ), 187–204. doi: 10.1177/0269758015571471 [ CrossRef ] [ Google Scholar ]
- Cross, C., Richards, K., & Smith, R. (2016). The reporting experiences and support needs of victims of online fraud . Trends and Issues in Crime and Criminal Justice , 518 , 1–14. doi: 10.3316/informit.300566903591621 [ CrossRef ] [ Google Scholar ]
- DeLiema, M. (2018). Elder fraud and financial exploitation: Application of routine activity theory . The Gerontologist , 58 ( 4 ), 706–718. doi: 10.1093/geront/gnw258 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Dong, X., & Simon, M. A. (2013). Elder abuse as a risk factor for hospitalization in older persons . JAMA Internal Medicine , 173 ( 10 ), 911–917. doi: 10.1001/jamainternmed.2013.238 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Federal Trade Commission. (1998). Identity Theft and Assumption Deterrence Act. Federal Trade Commission. https://www.ftc.gov/node/119459 [ Google Scholar ]
- Federal Trade Commission. (2020). Protecting older consumers 2019–2020: A report of the Federal Trade Commission. https://www.ftc.gov/reports/protecting-older-consumers-2019-2020-report-federal-trade-commission [ Google Scholar ]
- Financial Institution Regulatory Authority Investor Education Foundation. (2015). Non-traditional costs of financial fraud. Applied Research and Consulting. https://www.finrafoundation.org/files/non-traditional-costs-financial-fraud [ Google Scholar ]
- Gale, W. G., Gelfond, H., Fichtner, J. J., & Harris, B. H. (2020). The wealth of generations, with special attention to the millennials (No. w27123) . National Bureau of Economic Research. doi: 10.3386/w27123 [ CrossRef ] [ Google Scholar ]
- Golladay, K., & Holtfreter, K. (2017). The consequences of identity theft victimization: An examination of emotional and physical health outcomes . Victims & Offenders , 12 ( 5 ), 741–760. doi: 10.1080/15564886.2016.1177766 [ CrossRef ] [ Google Scholar ]
- Hall, J. E., Karch, D. L., & Crosby, A. E. (2016). Elder abuse surveillance: Uniform definitions and recommended core data elements for use in elder abuse surveillance, version 1.0. National Center for Injury Prevention and Control, Centers for Disease Control and Prevention. https://www.cdc.gov/violenceprevention/pdf/ea_book_revised_2016.pdf [ Google Scholar ]
- Harrell, E. (2019). Victims of identity theft, 2016. Bureau of Justice Statistics. https://www.bjs.gov/content/pub/pdf/vit16.pdf [ Google Scholar ]
- Harrell, E., Langton, L., Berzofsky, M., Couzens, L., & Smiley-McDonald, H. (2014). Household poverty and nonfatal violent victimization, 2008–2012 . Bureau of Justice Statistics. https://www.bjs.gov/content/pub/pdf/hpnvv0812.pdf [ Google Scholar ]
- Lacey, D., & Cuganesan, S. (2004). The role of organizations in identity theft response: The organization–individual victim dynamic . Journal of Consumer Affairs , 38 ( 2 ), 244–261. doi: 10.1111/j.1745-6606.2004.tb00867.x [ CrossRef ] [ Google Scholar ]
- Lachs, M. S., Williams, C. S., O’Brien, S., Pillemer, K. A., & Charlson, M. E. (1998). The mortality of elder mistreatment . Journal of the American Medical Association , 280 ( 5 ), 428–432. doi: 10.1001/jama.280.5.428 [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Li, Y., Yazdanmehr, A., Wang, J., & Rao, H. R. (2019). Responding to identity theft: A victimization perspective . Decision Support Systems , 121 , 13–24. doi: 10.1016/j.dss.2019.04.002 [ CrossRef ] [ Google Scholar ]
- Litwin, H., & Shiovitz-Ezra, S. (2011). Social network type and subjective well-being in a national sample of older Americans . The Gerontologist , 51 ( 3 ), 379–388. doi: 10.1093/geront/gnq094 [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
- Morgan, R. E. (2021). Financial fraud in the United States, 2017. Bureau of Justice Statistics. https://bjs.ojp.gov/library/publications/financial-fraud-united-states-2017 [ Google Scholar ]
- Nicholson, J., Coventry, L., & Briggs, P. (2019). If it’s important it will be a headline. Cybersecurity information seeking in older adults . In Proceedings ofthe 2019 CHI conference on human factors in computing systems, Glasgow, Scotland (pp. 1–11). doi: 10.1145/3290605.3300579 [ CrossRef ] [ Google Scholar ]
- Office of the Inspector General. (2020). Top management and performance challenges facing the U.S. Department of Labor. https://www.oig.dol.gov/public/DOL%202020%20Top%20Management%20and%20Performance%20Challenges.pdf [ Google Scholar ]
- Randa, R., & Reyns, B. W. (2020). The physical and emotional toll of identity theft victimization: A situational and demographic analysis of the National Crime Victimization Survey . Deviant Behavior , 41 ( 10 ), 1290–1304. doi: 10.1080/01639625.2019.1612980 [ CrossRef ] [ Google Scholar ]
- Reynolds, D. (2020). The differential effects of identity theft victimization: How demographics predict suffering out-of-pocket losses . Security Journal , 34 , 737–754. doi: 10.1057/s41284-020-00258-y [ CrossRef ] [ Google Scholar ]
- Roberts, L. D., Indermaur, D., & Spiranovic, C. (2013). Fear of cyber-identity theft and related fraudulent activity . Psychiatry, Psychology and Law , 20 ( 3 ), 315–328. doi: 10.1080/13218719.2012.672275 [ CrossRef ] [ Google Scholar ]
- Sharp, T., Shreve-Neiger, A., Fremouw, W., Kane, J., and Hutton, S. (2003). Exploring the psychological and somatic impact of identity theft . Journal of Forensic Sciences , 49 ( 1 ), 1–6. doi: 10.1520/JFS2003178 [ PubMed ] [ CrossRef ] [ Google Scholar ]
- United States Department of Justice. Office of Justice Programs. Bureau of Justice Statistics. (2014). National Crime Victimization Survey: Identity Theft Supplement codebook, 2014 . Inter-university Consortium for Political and Social Research [distributor], 2016-01-27. doi: 10.3886/ICPSR36044.v1 [ CrossRef ] [ Google Scholar ]
- United States Department of Justice. Office of Justice Programs. Bureau of Justice Statistics. (2016). National Crime Victimization Survey: Identity Theft Supplement codebook, 2016 . Inter-university Consortium for Political and Social Research [distributor], 2019-01-09. doi: 10.3886/ICPSR36829.v1 [ CrossRef ] [ Google Scholar ]
An official website of the United States government, Department of Justice.
Here's how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Identity Theft - A Research Review
Based upon "Identity Theft Literature Review" (Graeme R. Newman and Megan M. McNally, July 2005), this online publication assesses what is known about identity theft and recommends areas that need further research.
The research found that identity theft generally involves three stages: acquisition of the identity information, the thief's use of the information for personal gain to the detriment of the victim of identity theft, and discovery of the identity theft. Evidence indicates that the longer it takes to discover the theft, the greater the loss incurred and the less likely it is that prosecution will be successful. Older persons and those with less education are less likely to discover the identity theft quickly and to report it after discovery. The research also found that access to personal information about potential victims and the anonymity the Internet offers would-be thieves are major facilitators of identity theft. Major topics on identity theft reviewed in this report are the definition of identity theft, the extent and patterns of identity theft, types of identity theft, recording and reporting identity theft, law enforcement issues and response, the cost of identity theft, and issues that need more research. Regarding the latter topic, the researchers recommend more research on the best ways to prevent identity theft crimes. Specifically, research should address practices and operating environments of document-issuing agencies that allow offenders to exploit opportunities to obtain identity documents. Research should also focus on practices and operating environments of document-authenticating agencies that allow offenders access to identity data. Also, the structure and operations of the information systems involved with the operational procedures of the aforementioned agents should be researched. The report reviewed more than 160 literature sources that ranged from traditional journal articles to Web sites and presentations.
Additional Details
Related topics, similar publications.
- Best Practices for Optimizing Law Enforcement Job Descriptions to Recruit Diverse Candidates
- 10 Steps for Recruiting More Women Police
- Policies and practices in cold cases: an exploratory study
Identity Theft: Nature, Extent, and Global Response
- Living reference work entry
- First Online: 21 July 2019
- Cite this living reference work entry
- Katelyn A. Golladay 3
183 Accesses
Identity theft is considered to be one of the fastest growing crimes. With the growth of identity theft, research on identity theft offending and victimization has received considerable attention. Much of the research on identity theft has focused on offenders’ motives and methods for offending in addition to the negative consequences experienced by victims of identity theft. Several criminological theories have been applied to explain identity theft offending and victimization experiences. Identity theft is not only a growing concern in the United States. Global responses to identity theft, including laws and policy, are also discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Institutional subscriptions
Akers, R. (1996). Social learning and social structure: A general theory of crime and deterrence . Boston: Northeastern University Press.
Google Scholar
Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and counter measures: A survey. Computers & Security, 68 , 160–196.
Article Google Scholar
Allison, S. F. H., Schuck, A. M., & Lersch, K. M. (2005). Exploring the crime of identity theft: Prevalence, clearance rates, and victim/offender characteristics. Journal of Criminal Justice, 33 , 19–29.
Anderson, K. B. (2005). Identity theft: Does the risk vary with demographics? Washington, DC: Bureau of Economics, Federal Trade Commission.
Anderson, K. B. (2006). Who are the victims of identity theft? The effect of demographics. Journal of Public Policy & Marketing, 25 , 160–171.
Bellah, J. (2001). Training: Identity theft. Law and Order, 49 , 222–226.
Black, D. (1976). The behavior of law . Orlando: Academic.
Chatterjee, S., Gao, X., Sarkar, S., & Uzmanoglu, C. (2019). Reacting to the scope of a data breach: The differential role of fear and anger. Journal of Business Research, 101 , 183–193.
Chryssikos, D. (2007). Criminalization and jurisdiction issues. In D. Chryssikos, N. Passas, & C. D. Ram (Eds.), The evolving challenge of identity-related crime: Addressing fraud and the criminal misuse and falsification of identity (pp. 113–128). Courmayeur: ISPCA.
Claugh, J. (2015). Towards a common identity? The harmonization of identity theft laws. Journal of Financial Crime, 22 , 492–512.
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44 , 588–608.
Cole, S. A., & Pontell, H. (2006). Don’t be low hanging fruit: Identity theft as moral panic. In T. Monahan (Ed.), Surveillance and security (pp. 125–147). London: Routledge.
Copes, H., & Vieraitis, L. (2007). Identity theft: Assessing offenders’ strategies and perceptions of risk. (NCJ 219122) . Washington, DC: National Institute of Justice.
Copes, H., & Vieraitis, L. M. (2009). Bounded rationality of identity thieves: Using offender-based research to inform policy. Criminology & Public Policy, 8 , 237–262.
Copes, H., & Vieraitis, L. (2012). Identity thieves: Motives and methods . Boston: Northeastern University Press.
Copes, H., Vieraitis, L., & Jochum, J. M. (2007). Bridging the gap between research and practice: How neutralization theory can inform Reid interrogations of identity thieves. Journal of Criminal Justice Education, 18 , 444–459.
Copes, H., Kerley, K. R., Huff, R., & Kane, J. (2010). Differentiating identity theft: An exploratory study of victims using a national victimization survey. Journal of Criminal Justice, 38 , 1045–1052.
Eck, J. E., & Clarke, R. V. (2003). Classifying common police problems: A routine activity approach. Crime Prevention Studies, 16 , 7–39.
Fair and Accurate Credit Transaction Act of 2003, Pub.L. 108-159, 117 Stat. 1952, codified as amended at 15 U.S.C. §§ 1681–1681x.
Federal Bureau of Investigation. (2017). Crime in the United States, 2017: Persons arrested . Retrieved from https://ucr.fbi.gov/crime-in-the-u.s/2017/crime-in-the-u.s.-2017/topic-pages/persons-arrested
Financial Supervisory Service. (2013). Voice phishing victimization state . Retrieved from http://www.fss.or.kr/fss/vstop/guide/status.jsp
Geeta, D. V. (2011). Online identity theft – An Indian perspective. Journal of Financial Crime, 18 , 235–246.
Golladay, K. A. (2017). Reporting behaviors of identity theft victims: An empirical test of Black’s theory of law. Journal of Financial Crime, 24 , 101–117.
Golladay, K. A., & Holtfreter, K. (2017). The consequences of identity theft victimization: An examination of emotional and physical health outcomes. Victims & Offenders, 12 , 741–760.
Gordon, G. R., Rebovich, D., Choo, K. S., & Gordon, J. B. (2007). Identity fraud trends and patterns: Building a data-based foundation for proactive enforcement . Utica: Center for Identity Management and Information Protection.
Gottfredson, M. R., & Gottfredson, D. M. (1988). Decision making in criminal justice: Towards the rational exercise of discretion (2nd ed.). New York: Plenum.
Book Google Scholar
Gottfredson, M., & Hirschi, T. (1990). A general theory of crime . Stanford: Stanford University Press.
Harrell, E. (2015). Victims of identity theft, 2014. (NCJ 248991) . Washington, DC: Bureau of Justice Statistics.
Harrell, E., & Langton, L. (2013). Victims of identity theft, 2012. (NCJ 243779) . Washington, DC: Bureau of Justice Statistics.
Hindelang, M. J., Gottfredson, M. R., & Garofalo, J. (1978). Victims of personal crime: An empirical foundation for a theory of personal victimization . Cambridge, MA: Ballinger.
Hoar, S. (2001). Identity theft: The crime of the new millennium. Oregon Law Review, 80 , 1423–1442.
Holm, E. (2017). The darknet: A new passageway to identity theft. International Journal of Information Security and Cybercrime, 6 , 41–47.
Holt, T. J., & Turner, M. G. (2012). Examining risk and protective factors of on-line identity theft. Deviant Behavior, 33 , 308–323.
Holtfreter, R. E., & Holtfreter, K. (2006). Gauging the effectiveness of US identity theft legislation. Journal of Financial Crime, 13 , 56–64.
Holtfreter, K., Reisig, M. D., & Pratt, T. C. (2008). Low self-control, routine activities, and fraud victimization. Criminology, 46 , 189–220.
Holtfreter, K., Reisig, M. D., Pratt, T. C., & Holtfreter, R. E. (2015). Risky remote purchasing and identity theft victimization among older internet users. Psychology, Crime & Law, 21 , 681–698.
Identity Theft Assumption and Deterrence Act of 1998, Pub.L. 105-318, 112 Stat. 3007, codified as amended at 18 U.S.C. §§4701–4707.
Identity Theft Penalty Enforcement Act of 2004, Pub.L. 108-275, 118 Stat. 831, codified as amended at 18 U.S.C. §1001.
Identity Theft Resource Center. (2014). Identity theft: The aftermath 2013 . Retrieved from https://www.idtheftcenter.org/images/surveys_studies/Aftermath2013.pdf
Identity Theft Resource Center. (2018). Identity theft: The aftermath 2017 . Retrieved from https://www.ftc.gov/system/files/documents/public_comments/2017/10/00004-141444.pdf
Korea Internet & Security Agency. (2014). Mobile Internet usage statistics . Retrieved from http://isis.kisa.or.kr
Langton, L., & Planty, M. (2010). Victims of identity theft, 2008. (NCJ 231680) . Washington, DC: Bureau of Justice Statistics.
Lauritsen, J., & Heimer, K. (2008). The gender gap in violent victimization, 1973–2004. Journal of Quantitative Criminology, 24 , 125–147.
Lynch, J. (2005). Identity theft in cyberspace: Crime control methods and their effectiveness in combating phishing attacks. Berkeley Technology Law Journal, 20 , 259–300.
Marcum, C. D., Higgins, G. E., Ricketts, M. L., & Wolfe, S. E. (2015). Becoming someone new: Identity theft behaviors by high school students. Journal of Financial Crime, 22 , 318–328.
Mathews, R. C. (2013). International identity theft: How the internet revolutionized identity theft and the approaches the world’s nations are taking to combat it. Florida Journal of International Law, 25 , 311–329.
Morgan, R. E., & Ken, G. (2018). Criminal victimization, 2016: Revised. (NCJ 252121) . Washington, DC: Bureau of Justice Statistics.
Morris, R. G. (2010). Identity thieves and levels of sophistication: Findings from a national probability sample of American newspaper articles 1995–2005. Deviant Behavior, 31 , 184–207.
National Fraud Authority. (2013). Annual fraud indicator . London: National Fraud Authority.
Paek, S. Y., & Nalla, M. K. (2015). The relationship between receiving phishing attempt and identity theft victimization in South Korea. International Journal of Law, Crime and Justice, 43 , 626–642.
Pratt, T. C., & Cullen, F. T. (2000). The empirical status of Gottfredson and Hirschi’s general theory of crime: A meta-analysis. Criminology, 38 , 931–964.
Pratt, T. C., Turanovic, J. J., Fox, K. A., & Wright, K. A. (2014). Self-control and victimization: A meta-analysis. Criminology, 52 , 87–116.
President’s Identity Theft Task Force. (2008). The President’s identity theft task force report . Retrieved from https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf
Reyns, B. W. (2013). Online routines and identity theft victimization: Further expanding routine activity theory beyond direct-contact offenses. Journal of Research on Crime and Delinquency, 50 , 216–238.
Reyns, B. W., & Henson, B. (2016). The thief with a thousand faces and the victim with none: Identifying determinants for online identity theft victimization with routine activity theory. International Journal of Offender Therapy and Comparative Criminology, 60 , 1119–1139.
Reyns, B. W., & Randa, R. (2017). Victim reporting behaviors following identity theft victimization: Results from the National Crime Victimization Survey. Crime & Delinquency, 63 , 814–838.
Reyns, B. W., Henson, B., & Fisher, B. S. (2011). Being pursued online: Applying cyber-lifestyle-routine activities theory to cyberstalking victimization. Criminal Justice and Behavior, 38 , 1149–1169.
Romanosky, S., Telang, R., & Acquisti, A. (2011). Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management, 30 , 256–286.
Sharp, T., Shreve-Neiger, A., Fremouw, W., Kane, J., & Hutton, S. (2004). Exploring the psychological and somatic impact of identity theft. Journal of Forensic Science, 49 , 1–6.
Slosarik, K. (2002). Identity theft: An overview of the problem. Criminal Justice Studies, 15 , 329–343.
Steffensmeier, D., Ulmer, J., & Kramer, J. (1998). The interaction of race, gender, and age in criminal sentencing: The punishment cost of being young, black, and male. Criminology, 36 , 763–796.
Sykes, G. M., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American Sociological Review, 22 , 664–670.
Symantec. (2009). Symantec global internet security threat report trends for 2008 . Mountain View: Symantec Corporation.
Synovate. (2007). Federal trade commission: 2006 identity theft survey report . Retrieved from https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-2006-identity-theft-survey-report-prepared-commission-synovate/synovatereport.pdf
United Nations Office on Drugs and Crime. (2011). Handbook on identity-related crime . Retrieved from https://www.unodc.org/documents/data-and-analysis/WDR2011/World_Drug_Report_2011_ebook.pdf
White, M. D., & Fisher, C. (2008). Assessing our knowledge of identity theft: The challenges to effective prevention and control efforts. Criminal Justice Policy Review, 19 , 3–24.
Williams, M. L. (2016). Guardians upon high: An application of routine activities theory to on line identity theft in Europe at the country and individual level. British Journal of Criminology, 56 , 21–48.
Download references
Author information
Authors and affiliations.
University of Wyoming, Laramie, WY, USA
Katelyn A. Golladay
You can also search for this author in PubMed Google Scholar
Corresponding author
Correspondence to Katelyn A. Golladay .
Rights and permissions
Reprints and permissions
Copyright information
© 2019 The Author(s), under exclusive licence to Springer Nature Switzerland AG
About this entry
Cite this entry.
Golladay, K.A. (2019). Identity Theft: Nature, Extent, and Global Response. In: The Palgrave Handbook of International Cybercrime and Cyberdeviance. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-90307-1_40-1
Download citation
DOI : https://doi.org/10.1007/978-3-319-90307-1_40-1
Received : 04 June 2019
Accepted : 19 June 2019
Published : 21 July 2019
Publisher Name : Palgrave Macmillan, Cham
Print ISBN : 978-3-319-90307-1
Online ISBN : 978-3-319-90307-1
eBook Packages : Springer Reference Law and Criminology Reference Module Humanities and Social Sciences Reference Module Business, Economics and Social Sciences
- Publish with us
Policies and ethics
- Find a journal
- Track your research
- Reference Manager
- Simple TEXT file
People also looked at
Review article, phishing attacks: a recent comprehensive study and a new anatomy.
- Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, United Kingdom
With the significant growth of internet usage, people increasingly share their personal information online. As a result, an enormous amount of personal information and financial transactions become vulnerable to cybercriminals. Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data. Since the first reported phishing attack in 1990, it has been evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for their victims including sensitive information, identity theft, companies, and government secrets. This article aims to evaluate these attacks by identifying the current state of phishing and reviewing existing phishing techniques. Studies have classified phishing attacks according to fundamental phishing mechanisms and countermeasures discarding the importance of the end-to-end lifecycle of phishing. This article proposes a new detailed anatomy of phishing which involves attack phases, attacker’s types, vulnerabilities, threats, targets, attack mediums, and attacking techniques. Moreover, the proposed anatomy will help readers understand the process lifecycle of a phishing attack which in turn will increase the awareness of these phishing attacks and the techniques being used; also, it helps in developing a holistic anti-phishing system. Furthermore, some precautionary countermeasures are investigated, and new strategies are suggested.
Introduction
The digital world is rapidly expanding and evolving, and likewise, as are cybercriminals who have relied on the illegal use of digital assets—especially personal information—for inflicting damage to individuals. One of the most threatening crimes of all internet users is that of ‘identity theft’ ( Ramanathan and Wechsler, 2012 ) which is defined as impersonating the person’s identity to steal and use their personal information (i.e., bank details, social security number, or credit card numbers, etc.) by an attacker for the individuals’ own gain not just for stealing money but also for committing other crimes ( Arachchilage and Love, 2014 ). Cyber criminals have also developed their methods for stealing their information, but social-engineering-based attacks remain their favorite approach. One of the social engineering crimes that allow the attacker to perform identity theft is called a phishing attack. Phishing has been one of the biggest concerns as many internet users fall victim to it. It is a social engineering attack wherein a phisher attempts to lure the users to obtain their sensitive information by illegally utilizing a public or trustworthy organization in an automated pattern so that the internet user trusts the message, and reveals the victim’s sensitive information to the attacker ( Jakobsson and Myers, 2006 ). In phishing attacks, phishers use social engineering techniques to redirect users to malicious websites after receiving an email and following an embedded link ( Gupta et al., 2015 ). Alternatively, attackers could exploit other mediums to execute their attacks such as Voice over IP (VoIP), Short Message Service (SMS) and, Instant Messaging (IM) ( Gupta et al., 2015 ). Phishers have also turned from sending mass-email messages, which target unspecified victims, into more selective phishing by sending their emails to specific victims, a technique called “spear-phishing.”
Cybercriminals usually exploit users with a lack of digital/cyber ethics or who are poorly trained in addition to technical vulnerabilities to reach their goals. Susceptibility to phishing varies between individuals according to their attributes and awareness level, therefore, in most attacks, phishers exploit human nature for hacking, instead of utilising sophisticated technologies. Even though the weakness in the information security chain is attributed to humans more than the technology, there is a lack of understanding about which ring in this chain is first penetrated. Studies found that certain personal characteristics make some persons more receptive to various lures ( Iuga et al., 2016 ; Ovelgönne et al., 2017 ; Crane, 2019 ). For example, individuals who usually obey authorities more than others are more likely to fall victim to a Business Email Compromise (BEC) that is pretending to be from a financial institution and requests immediate action by seeing it as a legitimate email ( Barracuda, 2020 ). Greediness is another human weakness that could be used by an attacker, for example, emails that offering either great discounts, free gift cards, and others ( Workman, 2008 ).
Various channels are used by the attacker to lure the victim through a scam or through an indirect manner to deliver a payload for gaining sensitive and personal information from the victim ( Ollmann, 2004 ). However, phishing attacks have already led to damaging losses and could affect the victim not only through a financial context but could also have other serious consequences such as loss of reputation, or compromise of national security ( Ollmann, 2004 ; Herley and Florêncio, 2008 ). Cybercrime damages have been expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 according to Cybersecurity Ventures ( Morgan, 2019 ). Phishing attacks are the most common type of cybersecurity breaches as stated by the official statistics from the cybersecurity breaches survey 2020 in the United Kingdom ( GOV.UK, 2020 ). Although these attacks affect organizations and individuals alike, the loss for the organizations is significant, which includes the cost for recovery, the loss of reputation, fines from information laws/regulations, and reduced productivity ( Medvet et al., 2008 ).
Phishing is a field of study that merges social psychology, technical systems, security subjects, and politics. Phishing attacks are more prevalent: a recent study ( Proofpoint, 2020 ) found that nearly 90% of organizations faced targeted phishing attacks in 2019. From which 88% experienced spear-phishing attacks, 83% faced voice phishing (Vishing), 86% dealt with social media attacks, 84% reported SMS/text phishing (SMishing), and 81% reported malicious USB drops. The 2018 Proofpoint 1 annual report ( Proofpoint, 2019a ) has stated that phishing attacks jumped from 76% in 2017 to 83% in 2018, where all phishing types happened more frequently than in 2017. The number of phishing attacks identified in the second quarter of 2019 was notably higher than the number recorded in the previous three quarters. While in the first quarter of 2020, this number was higher than it was in the previous one according to a report from Anti-Phishing Working Group (APWG 2 ) ( APWG, 2018 ) which confirms that phishing attacks are on the rise. These findings have shown that phishing attacks have increased continuously in recent years and have become more sophisticated and have gained more attention from cyber researchers and developers to detect and mitigate their impact. This article aims to determine the severity of the phishing problem by providing detailed insights into the phishing phenomenon in terms of phishing definitions, current statistics, anatomy, and potential countermeasures.
The rest of the article is organized as follows. Phishing Definitions provides a number of phishing definitions as well as some real-world examples of phishing. The evolution and development of phishing attacks are discussed in Developing a Phishing Campaign . What Attributes Make Some People More Susceptible to Phishing Attacks Than Others explores the susceptibility to these attacks. The proposed phishing anatomy and types of phishing attacks are elaborated in Proposed Phishing Anatomy . In Countermeasures , various anti-phishing countermeasures are discussed. The conclusions of this study are drawn in Conclusion .
Phishing Definitions
Various definitions for the term “phishing” have been proposed and discussed by experts, researchers, and cybersecurity institutions. Although there is no established definition for the term “phishing” due to its continuous evolution, this term has been defined in numerous ways based on its use and context. The process of tricking the recipient to take the attacker’s desired action is considered the de facto definition of phishing attacks in general. Some definitions name websites as the only possible medium to conduct attacks. The study ( Merwe et al., 2005 , p. 1) defines phishing as “a fraudulent activity that involves the creation of a replica of an existing web page to fool a user into submitting personal, financial, or password data.” The above definition describes phishing as an attempt to scam the user into revealing sensitive information such as bank details and credit card numbers, by sending malicious links to the user that leads to the fake web establishment. Others name emails as the only attack vector. For instance, PishTank (2006) defines phishing as “a fraudulent attempt, usually made through email, to steal your personal information.” A description for phishing stated by ( Kirda and Kruegel, 2005 , p.1) defines phishing as “a form of online identity theft that aims to steal sensitive information such as online banking passwords and credit card information from users.” Some definitions highlight the usage of combined social and technical skills. For instance, APWG defines phishing as “a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials” ( APWG, 2018 , p. 1). Moreover, the definition from the United States Computer Emergency Readiness Team (US-CERT) states phishing as “a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity” ( CISA, 2018 ). A detailed definition has been presented in ( Jakobsson and Myers, 2006 , p. 1), which describes phishing as “a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automated fashion. Such communications are most frequently done through emails that direct users to fraudulent websites that in turn collect the credentials in question.”
In order to understand the anatomy of the phishing attack, there is a necessity for a clear and detailed definition that underpins previous existent definitions. Since a phishing attack constitutes a mix of technical and social engineering tactics, a new definition (i.e., Anatomy) has been proposed in this article, which describes the complete process of a phishing attack. This provides a better understanding for the readers as it covers phishing attacks in depth from a range of perspectives. Various angles and this might help beginner readers or researchers in this field. To this end, we define phishing as a socio-technical attack, in which the attacker targets specific valuables by exploiting an existing vulnerability to pass a specific threat via a selected medium into the victim’s system, utilizing social engineering tricks or some other techniques to convince the victim into taking a specific action that causes various types of damages.
Figure 1 depicts the general process flow for a phishing attack that contains four phases; these phases are elaborated in Proposed Phishing Anatomy . However, as shown in Figure 1 , in most attacks, the phishing process is initiated by gathering information about the target. Then the phisher decides which attack method is to be used in the attack as initial steps within the planning phase. The second phase is the preparation phase, in which the phisher starts to search for vulnerabilities through which he could trap the victim. The phisher conducts his attack in the third phase and waits for a response from the victim. In turn, the attacker could collect the spoils in the valuables acquisition phase, which is the last step in the phishing process. To elaborate the above phishing process using an example, an attacker may send a fraudulent email to an internet user pretending to be from the victim’s bank, requesting the user to confirm the bank account details, or else the account may be suspended. The user may think this email is legitimate since it uses the same graphic elements, trademarks, and colors of their legitimate bank. Submitted information will then be directly transmitted to the phisher who will use it for different malicious purposes such as money withdrawal, blackmailing, or committing further frauds.
FIGURE 1 . General phishing attack process.
Real-World Phishing Examples
Some real-world examples of phishing attacks are discussed in this section to present the complexity of some recent phishing attacks. Figure 2 shows the screenshot of a suspicious phishing email that passed a University’s spam filters and reached the recipient mailbox. As shown in Figure 2 , the phisher uses the sense of importance or urgency in the subject through the word ‘important,’ so that the email can trigger a psychological reaction in the user to prompt them into clicking the button “View message.” The email contains a suspicious embedded button, indeed, when hovering over this embedded button, it does not match with Uniform Resource Locator (URL) in the status bar. Another clue in this example is that the sender's address is questionable and not known to the receiver. Clicking on the fake attachment button will result in either installation of a virus or worm onto the computer or handing over the user’s credentials by redirecting the victim onto a fake login page.
FIGURE 2 . Screenshot of a real suspicious phishing email received by the authors’ institution in February 2019.
More recently, phishers take advantage of the Coronavirus pandemic (COVID-19) to fool their prey. Many Coronavirus-themed scam messages sent by attackers exploited people’s fear of contracting COVID-19 and urgency to look for information related to Coronavirus (e.g., some of these attacks are related to Personal Protective Equipment (PPE) such as facemasks), the WHO stated that COVID-19 has created an Infodemic which is favorable for phishers ( Hewage, 2020 ). Cybercriminals also lured people to open attachments claiming that it contains information about people with Coronavirus within the local area.
Figure 3 shows an example of a phishing e-mail where the attacker claimed to be the recipient’s neighbor sending a message in which they pretended to be dying from the virus and threatening to infect the victim unless a ransom was paid ( Ksepersky, 2020 ).
FIGURE 3 . Screenshot of a coronavirus related phishing email ( Ksepersky, 2020 ).
Another example is the phishing attack spotted by a security researcher at Akamai organization in January 2019. The attack attempted to use Google Translate to mask suspicious URLs, prefacing them with the legit-looking “ www.translate.google.com ” address to dupe users into logging in ( Rhett, 2019 ). That attack followed with Phishing scams asking for Netflix payment detail for example, or embedded in promoted tweets that redirect users to genuine-looking PayPal login pages. Although the tricky/bogus page was very well designed in the latter case, the lack of a Hypertext Transfer Protocol Secure (HTTPS) lock and misspellings in the URL were key red flags (or giveaways) that this was actually a phishing attempt ( Keck, 2018 ). Figure 4A shows a screenshot of a phishing email received by the Federal Trade Commission (FTC). The email promotes the user to update his payment method by clicking on a link, pretending that Netflix is having a problem with the user's billing information ( FTC, 2018 ).
FIGURE 4 . Screenshot of the (A) Netflix scam email and (B) fraudulent text message (Apple) ( Keck, 2018 ; Rhett, 2019 )
Figure 4B shows a text message as another example of phishing that is difficult to spot as a fake text message ( Pompon et al., 2018 ). The text message shown appears to come from Apple asking the customer to update the victim’s account. A sense of urgency is used in the message as a lure to motivate the user to respond.
Developing a Phishing Campaign
Today, phishing is considered one of the most pressing cybersecurity threats for all internet users, regardless of their technical understanding and how cautious they are. These attacks are getting more sophisticated by the day and can cause severe losses to the victims. Although the attacker’s first motivation is stealing money, stolen sensitive data can be used for other malicious purposes such as infiltrating sensitive infrastructures for espionage purposes. Therefore, phishers keep on developing their techniques over time with the development of electronic media. The following sub-sections discuss phishing evolution and the latest statistics.
Historical Overview
Cybersecurity has been a major concern since the beginning of APRANET, which is considered to be the first wide-area packet-switching network with distributed control and one of the first networks to implement the TCP/IP protocol suite. The term “Phishing” which was also called carding or brand spoofing, was coined for the first time in 1996 when the hackers created randomized credit card numbers using an algorithm to steal users' passwords from America Online (AOL) ( Whitman and Mattord, 2012 ; Cui et al., 2017 ). Then phishers used instant messages or emails to reach users by posing as AOL employees to convince users to reveal their passwords. Attackers believed that requesting customers to update their account would be an effective way to disclose their sensitive information, thereafter, phishers started to target larger financial companies. The author in ( Ollmann, 2004 ) believes that the “ph” in phishing comes from the terminology “Phreaks” which was coined by John Draper, who was also known as Captain Crunch, and was used by early Internet criminals when they phreak telephone systems. Where the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they both have the same meaning by phishing the passwords and sensitive information from the sea of internet users. Over time, phishers developed various and more advanced types of scams for launching their attack. Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it could involve injecting viruses or downloading the malicious program into a victim's computer. Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that they disclose their sensitive information ( Ollmann, 2004 ).
Phishing attacks are rapidly evolving, and spoofing methods are continuously changing as a response to new corresponding countermeasures. Hackers take advantage of new tool-kits and technologies to exploit systems’ vulnerabilities and also use social engineering techniques to fool unsuspecting users. Therefore, phishing attacks continue to be one of the most successful cybercrime attacks.
The Latest Statistics of Phishing Attacks
Phishing attacks are becoming more common and they are significantly increasing in both sophistication and frequency. Lately, phishing attacks have appeared in various forms. Different channels and threats are exploited and used by the attackers to trap more victims. These channels could be social networks or VoIP, which could carry various types of threats such as malicious attachments, embedded links within an email, instant messages, scam calls, or other types. Criminals know that social engineering-based methods are effective and profitable; therefore, they keep focusing on social engineering attacks, as it is their favorite weapon, instead of concentrating on sophisticated techniques and toolkits. Phishing attacks have reached unprecedented levels especially with emerging technologies such as mobile and social media ( Marforio et al., 2015 ). For instance, from 2017 to 2020, phishing attacks have increased from 72 to 86% among businesses in the United Kingdom in which a large proportion of the attacks are originated from social media ( GOV.UK, 2020 ).
The APWG Phishing Activity Trends Report analyzes and measures the evolution, proliferation, and propagation of phishing attacks reported to the APWG. Figure 5 shows the growth in phishing attacks from 2015 to 2020 by quarters based on APWG annual reports ( APWG, 2020 ). As demonstrated in Figure 5 , in the third quarter of 2019, the number of phishing attacks rose to 266,387, which is the highest level in three years since late 2016. This was up 46% from the 182,465 for the second quarter, and almost double the 138,328 seen in the fourth quarter of 2018. The number of unique phishing e-mails reported to APWG in the same quarter was 118,260. Furthermore, it was found that the number of brands targeted by phishing campaigns was 1,283.
FIGURE 5 . The growth in phishing attacks 2015–2020 by quarters based on data collected from APWG annual reports.
Cybercriminals are always taking advantage of disasters and hot events for their own gains. With the beginning of the COVID-19 crisis, a variety of themed phishing and malware attacks have been launched by phishers against workers, healthcare facilities, and even the general public. A report from Microsoft ( Microsoft, 2020 ) showed that cyber-attacks related to COVID-19 had spiked to an unprecedented level in March, most of these scams are fake COVID-19 websites according to security company RiskIQ ( RISKIQ, 2020 ). However, the total number of phishing attacks observed by APWG in the first quarter of 2020 was 165,772, up from the 162,155 observed in the fourth quarter of 2019. The number of these unique phishing reports submitted to APWG during the first quarter of 2020 was 139,685, up from 132,553 in the fourth quarter of 2019, 122,359 in the third quarter of 2019, and 112,163 in the second quarter of 2019 ( APWG, 2020 ).
A study ( KeepnetLABS, 2018 ) confirmed that more than 91% of system breaches are caused by attacks initiated by email. Although cybercriminals use email as the main medium for leveraging their attacks, many organizations faced a high volume of different social engineering attacks in 2019 such as Social Media Attacks, Smishing Attacks, Vishing Attacks, USB-based Attacks (for example by hiding and delivering malware to smartphones via USB phone chargers and distributing malware-laden free USBs) ( Proofpoint, 2020 ). However, info-security professionals reported a higher frequency of all types of social engineering attacks year-on-year according to a report presented by Proofpoint. Spear phishing increased to 64% in 2018 from 53% in 2017, Vishing and/or SMishing increased to 49% from 45%, and USB attacks increased to 4% from 3%. The positive side shown in this study is that 59% of suspicious emails reported by end-users were classified as potential phishing, indicating that employees are being more security-aware, diligent, and thoughtful about the emails they receive ( Proofpoint, 2019a ). In all its forms, phishing can be one of the easiest cyber attacks to fall for. With the increasing levels of different phishing types, a survey was conducted by Proofpoint to identify the strengths and weaknesses of particular regions in terms of specific fundamental cybersecurity concepts. In this study, several questions were asked of 7,000 end-users about the identification of multiple terms like phishing, ransomware, SMishing, and Vishing across seven countries; the US, United Kingdom, France, Germany, Italy, Australia, and Japan. The response was different from country to country, where respondents from the United Kingdom recorded the highest knowledge with the term phishing at 70% and the same with the term ransomware at 60%. In contrast, the results showed that the United Kingdom recorded only 18% for each Vishing and SMishing ( Proofpoint, 2019a ), as shown in Table 1 .
TABLE 1 . Percentage of respondents understanding multiple cybersecurity terms from different countries.
On the other hand, a report by Wombat security reflects responses from more than 6,000 working adults about receiving fraudulent solicitation across six countries; the US, United Kingdom, Germany, France, Italy, and Australia ( Ksepersky, 2020 ). Respondents from the United Kingdom stated that they were recipients of fraudulent solicitations through the following sources: email 62%, phone call 27%, text message 16%, mailed letter 8%, social media 10%, and 17% confirmed that they been the victim of identity theft ( Ksepersky, 2020 ). However, the consequences of responding to phishing are serious and costly. For instance, the United Kingdom losses from financial fraud across payment cards, remote banking, and cheques totaled £768.8 million in 2016 ( Financial Fraud Action UK, 2017 ). Indeed, the losses resulting from phishing attacks are not limited to financial losses that might exceed millions of pounds, but also loss of customers and reputation. According to the 2020 state of phish report ( Proofpoint, 2020 ), damages from successful phishing attacks can range from lost productivity to cash outlay. The cost can include; lost hours from employees, remediation time for info security teams’ costs due to incident response, damage to reputation, lost intellectual property, direct monetary losses, compliance fines, lost customers, legal fees, etc.
There are many targets for phishing including end-user, business, financial services (i.e., banks, credit card companies, and PayPal), retail (i.e., eBay, Amazon) and, Internet Service Providers ( wombatsecurity.com, 2018 ). Affected organizations detected by Kaspersky Labs globally in the first quarter of 2020 are demonstrated in Figure 6 . As shown in the figure, online stores were at the top of the targeted list (18.12%) followed by global Internet portals (16.44%) and social networks in third place (13.07%) ( Ksepersky, 2020 ). While the most impersonated brands overall for the first quarter of 2020 were Apple, Netflix, Yahoo, WhatsApp, PayPal, Chase, Facebook, Microsoft eBay, and Amazon ( Checkpoint, 2020 ).
FIGURE 6 . Distribution of organizations affected by phishing attacks detected by Kaspersky in quarter one of 2020.
Phishing attacks can take a variety of forms to target people and steal sensitive information from them. Current data shows that phishing attacks are still effective, which indicates that the available existing countermeasures are not enough to detect and prevent these attacks especially on smart devices. The social engineering element of the phishing attack has been effective in bypassing the existing defenses to date. Therefore, it is essential to understand what makes people fall victim to phishing attacks. What Attributes Make Some People More Susceptible to Phishing Attacks Than Others discusses the human attributes that are exploited by the phishers.
What Attributes Make Some People More Susceptible to Phishing Attacks Than Others
Why do most existing defenses against phishing not work? What personal and contextual attributes make them more susceptible to phishing attacks than other users? Different studies have discussed those two questions and examined the factors affecting susceptibility to a phishing attack and the reasons behind why people get phished. Human nature is considered one of the most affecting factors in the process of phishing. Everyone is susceptible to phishing attacks because phishers play on an individual’s specific psychological/emotional triggers as well as technical vulnerabilities ( KeepnetLABS, 2018 ; Crane, 2019 ). For instance, individuals are likely to click on a link within an email when they see authority cues ( Furnell, 2007 ). In 2017, a report by PhishMe (2017) found that curiosity and urgency were the most common triggers that encourage people to respond to the attack, later these triggers were replaced by entertainment, social media, and reward/recognition as the top emotional motivators. However, in the context of a phishing attack, the psychological triggers often surpass people’s conscious decisions. For instance, when people are working under stress, they tend to make decisions without thinking of the possible consequences and options ( Lininger and Vines, 2005 ). Moreover, everyday stress can damage areas of the brain that weakens the control of their emotions ( Keinan, 1987 ). Several studies have addressed the association between susceptibility to phishing and demographic variables (e.g., age and gender) as an attempt to identify the reasons behind phishing success at different population groups. Although everyone is susceptible to phishing, studies showed that different age groups are more susceptible to certain lures than others are. For example, participants with an age range between 18 and 25 are more susceptible to phishing than other age groups ( Williams et al., 2018 ). The reason that younger adults are more likely to fall for phishing, is that younger adults are more trusting when it comes to online communication, and are also more likely to click on unsolicited e-mails ( Getsafeonline, 2017 ). Moreover, older participants are less susceptible because they tend to be less impulsive ( Arnsten et al., 2012 ). While some studies confirmed that women are more susceptible than men to phishing as they click on links in phishing emails and enter information into phishing websites more often than men do. The study published by Getsafeonline (2017) identifies a lack of technical know-how and experience among women than men as the main reason for this. In contrast, a survey conducted by antivirus company Avast found that men are more susceptible to smartphone malware attacks than women ( Ong, 2014 ). These findings confirmed the results from the study ( Hadlington, 2017 ) that found men are more susceptible to mobile phishing attacks than women. The main reason behind this according to Hadlington (2017) is that men are more comfortable and trusting when using mobile online services. The relationships between demographic characteristics of individualls and their ability to correctly detect a phishing attack have been studied in ( Iuga et al., 2016 ). The study showed that participants with high Personal Computer (PC) usage tend to identify phishing efforts more accurately and faster than other participants. Another study ( Hadlington, 2017 ) showed that internet addiction, attentional, and motor impulsivity were significant positive predictors for risky cybersecurity behaviors while a positive attitude toward cybersecurity in business was negatively related to risky cybersecurity behaviors. On the other hand, the trustworthiness of people in some web sites/platforms is one of the holes that the scammers or crackers exploit especially when it based on visual appearance that could fool the user ( Hadlington, 2017 ). For example, fraudsters take advantage of people’s trust in a website by replacing a letter from the legitimate site with a number such as goog1e.com instead of google.com . Another study ( Yeboah-Boateng and Amanor, 2014 ) demonstrates that although college students are unlikely to disclose personal information as a response to an email, nonetheless they could easily be tricked by other tactics, making them alarmingly susceptible to email phishing attacks. The reason for that is most college students do not have a basis in ICT especially in terms of security. Although security terms like viruses, online scams and worms are known by some end-users, these users could have no knowledge about Phishing, SMishing, and Vishing and others ( Lin et al., 2012 ). However, study ( Yeboah-Boateng and Amanor, 2014 ) shows that younger students are more susceptible than older students, and students who worked full-time were less likely to fall for phishing.
The study reported in ( Diaz et al., 2020 ) examines user click rates and demographics among undergraduates by sending phishing attacks to 1,350 randomly selected students. Students from various disciplines were involved in the test, from engineering and mathematics to arts and social sciences. The study observed that student susceptibility was affected by a range of factors such as phishing awareness, time spent on the computer, cyber training, age, academic year, and college affiliation. The most surprising finding is that those who have greater phishing knowledge are more susceptible to phishing scams. The authors consider two speculations for these unexpected findings. First, user’s awareness about phishing might have been increased with the continuous falling for phishing scams. Second, users who fell for the phish might have less knowledge about phishing than they claim. Other findings from this study agreed with findings from other studies that is, older students were more able to detect a phishing email, and engineering and IT majors had some of the lowest click rates as shown in Figure 7 , which shows that some academic disciplines are more susceptible to phishing than others ( Bailey et al., 2008 ).
FIGURE 7 . The number of clicks on phishing emails by students in the College of Arts, Humanities, and Social Sciences (AHSS), the College of Engineering and Information Technology (EIT), and the College of Natural and Mathematical Sciences (NMS) at the University of Maryland, Baltimore County (UMBC) ( Diaz et al., 2020 ).
Psychological studies have also illustrated that the user’s ability to avoid phishing attacks affected by different factors such as browser security indicators and user's awareness of phishing. The author in ( Dhamija et al., 2006 ) conducted an experimental study using 22 participants to test the user’s ability to recognize phishing websites. The study shows that 90% of these participants became victims of phishing websites and 23% of them ignored security indexes such as the status and address bar. In 2015, another study was conducted for the same purpose, where a number of fake web pages was shown to the participants ( Alsharnouby et al., 2015 ). The results of this study showed that participants detected only 53% of phishing websites successfully. The authors also observed that the time spent on looking at browser elements affected the ability to detect phishing. Lack of knowledge or awareness and carelessness are common causes for making people fall for a phishing trap. Most people have unknowingly opened a suspicious attachment or clicked a fake link that could lead to different levels of compromise. Therefore, focusing on training and preparing users for dealing with such attacks are essential elements to minimize the impact of phishing attacks.
Given the above discussion, susceptibility to phishing varies according to different factors such as age, gender, education level, internet, and PC addiction, etc. Although for each person, there is a trigger that can be exploited by phishers, even people with high experience may fall prey to phishing due to the attack sophistication that makes it difficult to be recognized. Therefore, it is inequitable that the user has always been blamed for falling for these attacks, developers must improve the anti-phishing systems in a way that makes the attack invisible. Understanding the susceptibility of individuals to phishing attacks will help in better developing prevention and detection techniques and solutions.
Proposed Phishing Anatomy
Phishing process overview.
Generally, most of the phishing attacks start with an email ( Jagatic et al., 2007 ). The phishing mail could be sent randomly to potential users or it can be targeted to a specific group or individuals. Many other vectors can also be used to initiate the attack such as phone calls, instant messaging, or physical letters. However, phishing process steps have been discussed by many researchers due to the importance of understanding these steps in developing an anti-phishing solution. The author in the study ( Rouse, 2013 ) divides the phishing attack process into five phases which are planning, setup, attack, collection, and cash. A study ( Jakobsson and Myers, 2006 ) discusses the phishing process in detail and explained it as step-by-step phases. These phases include preparation for the attack, sending a malicious program using the selected vector, obtaining the user’s reaction to the attack, tricking a user to disclose their confidential information which will be transmitted to the phisher, and finally obtaining the targeted money. While the study ( Abad, 2005 ) describes a phishing attack in three phases: the early phase which includes initializing attack, creating the phishing email, and sending a phishing email to the victim. The second phase includes receiving an email by the victim and disclosing their information (in the case of the respondent) and the final phase in which the defrauding is successful. However, all phishing scams include three primary phases, the phisher requests sensitive valuables from the target, and the target gives away these valuables to a phisher, and phisher misuses these valuables for malicious purposes. These phases can be classified furthermore into its sub-processes according to phishing trends. Thus, a new anatomy for phishing attacks has been proposed in this article, which expands and integrates previous definitions to cover the full life cycle of a phishing attack. The proposed new anatomy, which consists of 4 phases, is shown in Figure 8 . This new anatomy provides a reference structure to look at phishing attacks in more detail and also to understand potential countermeasures to prevent them. The explanations for each phase and its components are presented as follows:
FIGURE 8 . The proposed anatomy of phishing was built upon the proposed phishing definition in this article, which concluded from our understanding of a phishing attack.
Figure 8 depicts the proposed anatomy of the phishing attack process, phases, and components drawn upon the proposed definition in this article. The proposed phishing anatomy explains in detail each phase of phishing phases including attackers and target types, examples about the information that could be collected by the attacker about the victim, and examples about attack methods. The anatomy, as shown in the figure, illustrates a set of vulnerabilities that the attacker can exploit and the mediums used to conduct the attack. Possible threats are also listed, as well as the data collection method for a further explanation and some examples about target responding types and types of spoils that the attacker could gain and how they can use the stolen valuables. This anatomy elaborates on phishing attacks in depth which helps people to better understand the complete phishing process (i.e., end to end Phishing life cycle) and boost awareness among readers. It also provides insights into potential solutions for phishing attacks we should focus on. Instead of always placing the user or human in an accusation ring as the only reason behind phishing success, developers must be focusing on solutions to mitigate the initiation of the attack by preventing the bait from reaching the user. For instance, to reach the target’s system, the threat has to pass through many layers of technology or defenses exploiting one or more vulnerabilities such as web and software vulnerabilities.
Planning Phase
This is the first stage of the attack, where a phisher makes a decision about the targets and starts gathering information about them (individuals or company). Phishers gather information about the victims to lure them based on psychological vulnerability. This information can be anything like name, e-mail addresses for individuals, or the customers of that company. Victims could also be selected randomly, by sending mass mailings or targeted by harvesting their information from social media, or any other source. Targets for phishing could be any user with a bank account and has a computer on the Internet. Phishers target businesses such as financial services, retail sectors such as eBay and Amazon, and internet service providers such as MSN/Hotmail, and Yahoo ( Ollmann, 2004 ; Ramzan and Wuest, 2007 ). This phase also includes devising attack methods such as building fake websites (sometimes phishers get a scam page that is already designed or used, designing malware, constructing phishing emails. The attacker can be categorized based on the attack motivation. There are four types of attackers as mentioned in studies ( Vishwanath, 2005 ; Okin, 2009 ; EDUCBA, 2017 ; APWG, 2020 ):
▪ Script kiddies: the term script kiddies represents an attacker with no technical background or knowledge about writing sophisticated programs or developing phishing tools but instead they use scripts developed by others in their phishing attack. Although the term comes from children that use available phishing kits to crack game codes by spreading malware using virus toolkits, it does not relate precisely to the actual age of the phisher. Script kiddies can get access to website administration privileges and commit a “Web cracking” attack. Moreover, they can use hacking tools to compromise remote computers so-called “botnet,” the single compromised computer called a “zombie computer.” These attackers are not limited to just sit back and enjoy phishing, they could cause serious damage such as stealing information or uploading Trojans or viruses. In February 2000, an attack launched by Canadian teen Mike Calce resulted in $1.7 million US Dollars (USD) damages from Distributed Denial of Service (DDoS) attacks on CNN, eBay, Dell, Yahoo, and Amazon ( Leyden, 2001 ).
▪ Serious Crackers: also known as Black Hats. These attackers can execute sophisticated attacks and develop worms and Trojans for their attack. They hijack people's accounts maliciously and steal credit card information, destroy important files, or sell compromised credentials for personal gains.
▪ Organized crime: this is the most organized and effective type of attacker and they can incur significant damage to victims. These people hire serious crackers for conducting phishing attacks. Moreover, they can thoroughly trash the victim's identity, and committing devastated frauds as they have the skills, tools, and manpower. An organized cybercrime group is a team of expert hackers who share their skills to build complex attacks and to launch phishing campaigns against individuals and organizations. These groups offer their work as ‘crime as a service’ and they can be hired by terrorist groups, organizations, or individuals.
▪ Terrorists: due to our dependency on the internet for most activities, terrorist groups can easily conduct acts of terror remotely which could have an adverse impact. These types of attacks are dangerous since they are not in fear of any aftermath, for instance going to jail. Terrorists could use the internet to the maximum effect to create fear and violence as it requires limited funds, resources, and efforts compared to, for example, buying bombs and weapons in a traditional attack. Often, terrorists use spear phishing to launch their attacks for different purposes such as inflicting damage, cyber espionage, gathering information, locating individuals, and other vandalism purposes. Cyber espionage has been used extensively by cyber terrorists to steal sensitive information on national security, commercial information, and trade secrets which can be used for terrorist activities. These types of crimes may target governments or organizations, or individuals.
Attack Preparation
After making a decision about the targets and gathering information about them, phishers start to set up the attack by scanning for the vulnerabilities to exploit. The following are some examples of vulnerabilities exploited by phishers. For example, the attacker might exploit buffer overflow vulnerability to take control of target applications, create a DoS attack, or compromise computers. Moreover, “zero-day” software vulnerabilities, which refer to newly discovered vulnerabilities in software programs or operating systems could be exploited directly before it is fixed ( Kayne, 2019 ). Another example is browser vulnerabilities, adding new features and updates to the browser might introduce new vulnerabilities to the browser software ( Ollmann, 2004 ). In 2005, attackers exploited a cross-domain vulnerability in Internet Explorer (IE) ( Symantic, 2019 ). The cross-domain used to separate content from different sources in Microsoft IE. Attackers exploited a flaw in the cross-domain that enables them to execute programs on a user's computer after running IE. According to US-CERT, hackers are actively exploiting this vulnerability. To carry out a phishing attack, attackers need a medium so that they can reach their target. Therefore, apart from planning the attack to exploit potential vulnerabilities, attackers choose the medium that will be used to deliver the threat to the victim and carry out the attack. These mediums could be the internet (social network, websites, emails, cloud computing, e-banking, mobile systems) or VoIP (phone call), or text messages. For example, one of the actively used mediums is Cloud Computing (CC). The CC has become one of the more promising technologies and has popularly replaced conventional computing technologies. Despite the considerable advantages produced by CC, the adoption of CC faces several controversial obstacles including privacy and security issues ( CVEdetails, 2005 ). Due to the fact that different customers could share the same recourses in the cloud, virtualization vulnerabilities may be exploited by a possible malicious customer to perform security attacks on other customers’ applications and data ( Zissis and Lekkas, 2012 ). For example, in September 2014, secret photos of some celebrities suddenly moved through the internet in one of the more terrible data breaches. The investigation revealed that the iCloud accounts of the celebrities were breached ( Lehman and Vajpayee, 2011 ). According to Proofpoint, in 2017, attackers used Microsoft SharePoint to infect hundreds of campaigns with malware through messages.
Attack Conducting Phase
This phase involves using attack techniques to deliver the threat to the victim as well as the victim’s interaction with the attack in terms of responding or not. After the victim's response, the system may be compromised by the attacker to collect user's information using techniques such as injecting client-side script into webpages ( Johnson, 2016 ). Phishers can compromise hosts without any technical knowledge by purchasing access from hackers ( Abad, 2005 ). A threat is a possible danger that that might exploit a vulnerability to compromise people’s security and privacy or cause possible harm to a computer system for malicious purposes. Threats could be malware, botnet, eavesdropping, unsolicited emails, and viral links. Several Phishing techniques are discussed in sub- Types and Techniques of Phishing Attacks .
Valuables Acquisition Phase
In this stage, the phisher collects information or valuables from victims and uses it illegally for purchasing, funding money without the user’s knowledge, or selling these credentials in the black market. Attackers target a wide range of valuables from their victims that range from money to people’s lives. For example, attacks on online medical systems may lead to loss of life. Victim’s data can be collected by phishers manually or through automated techniques ( Jakobsson et al., 2007 ).
The data collection can be conducted either during or after the victim’s interaction with the attacker. However, to collect data manually simple techniques are used wherein victims interact directly with the phisher depending on relationships within social networks or other human deception techniques ( Ollmann, 2004 ). Whereas in automated data collection, several techniques can be used such as fake web forms that are used in web spoofing ( Dhamija et al., 2006 ). Additionally, the victim’s public data such as the user’s profile in social networks can be used to collect the victim’s background information that is required to initialize social engineering attacks ( Wenyin et al., 2005 ). In VoIP attacks or phone attack techniques such as recorded messages are used to harvest user's data ( Huber et al., 2009 ).
Types and Techniques of Phishing Attacks
Phishers conduct their attack either by using psychological manipulation of individuals into disclosing personal information (i.e., deceptive attack as a form of social engineering) or using technical methods. Phishers, however, usually prefer deceptive attacks by exploiting human psychology rather than technical methods. Figure 9 illustrates the types of phishing and techniques used by phishers to conduct a phishing attack. Each type and technique is explained in subsequent sections and subsections.
FIGURE 9 . Phishing attack types and techniques drawing upon existing phishing attacks.
Deceptive Phishing
Deceptive phishing is the most common type of phishing attack in which the attacker uses social engineering techniques to deceive victims. In this type of phishing, a phisher uses either social engineering tricks by making up scenarios (i.e., false account update, security upgrade), or technical methods (i.e., using legitimate trademarks, images, and logos) to lure the victim and convince them of the legitimacy of the forged email ( Jakobsson and Myers, 2006 ). By believing these scenarios, the user will fall prey and follow the given link, which leads to disclose his personal information to the phisher.
Deceptive phishing is performed through phishing emails; fake websites; phone phishing (Scam Call and IM); social media; and via many other mediums. The most common social phishing types are discussed below;
Phishing e-Mail
The most common threat derived by an attacker is deceiving people via email communications and this remains the most popular phishing type to date. A Phishing email or Spoofed email is a forged email sent from an untrusted source to thousands of victims randomly. These fake emails are claiming to be from a person or financial institution that the recipient trusts in order to convince recipients to take actions that lead them to disclose their sensitive information. A more organized phishing email that targets a particular group or individuals within the same organization is called spear phishing. In the above type, the attacker may gather information related to the victim such as name and address so that it appears to be credible emails from a trusted source ( Wang et al., 2008 ), and this is linked to the planning phase of the phishing anatomy proposed in this article. A more sophisticated form of spear phishing is called whaling, which targets high-rank people such as CEOs and CFOs. Some examples of spear-phishing attack victims in early 2016 are the phishing email that hacked the Clinton campaign chairman John Podesta’s Gmail account ( Parmar, 2012 ). Clone phishing is another type of email phishing, where the attacker clones a legitimate and previously delivered email by spoofing the email address and using information related to the recipient such as addresses from the legitimate email with replaced links or malicious attachments ( Krawchenko, 2016 ). The basic scenario for this attack is illustrated previously in Figure 4 and can be described in the following steps.
1. The phisher sets up a fraudulent email containing a link or an attachment (planning phase).
2. The phisher executes the attack by sending a phishing email to the potential victim using an appropriate medium (attack conducting phase).
3. The link (if clicked) directs the user to a fraudulent website, or to download malware in case of clicking the attachment (interaction phase).
4. The malicious website prompts users to provide confidential information or credentials, which are then collected by the attacker and used for fraudulent activities. (Valuables acquisition phase).
Often, the phisher does not use the credentials directly; instead, they resell the obtained credentials or information on a secondary market ( Jakobsson and Myers, 2006 ), for instance, script kiddies might sell the credentials on the dark web.
Spoofed Website
This is also called phishing websites, in which phishers forge a website that appears to be genuine and looks similar to the legitimate website. An unsuspicious user is redirected to this website after clicking a link embedded within an email or through an advertisement (clickjacking) or any other way. If the user continues to interact with the spoofed website, sensitive information will be disclosed and harvested by the phisher ( CSIOnsite, 2012 ).
Phone Phishing (Vishing and SMishing)
This type of phishing is conducted through phone calls or text messages, in which the attacker pretends to be someone the victim knows or any other trusted source the victim deals with. A user may receive a convincing security alert message from a bank convincing the victim to contact a given phone number with the aim to get the victim to share passwords or PIN numbers or any other Personally Identifiable Information (PII). The victim may be duped into clicking on an embedded link in the text message. The phisher then could take the credentials entered by the victim and use them to log in to the victims' instant messaging service to phish other people from the victim’s contact list. A phisher could also make use of Caller IDentification (CID) 3 spoofing to dupe the victim that the call is from a trusted source or by leveraging from an internet protocol private branch exchange (IP PBX) 4 tools which are open-source and software-based that support VoIP ( Aburrous et al., 2008 ). A new report from Fraud Watch International about phishing attack trends for 2019 anticipated an increase in SMishing where the text messages content is only viewable on a mobile device ( FraudWatchInternational, 2019 ).
Social Media Attack (Soshing, Social Media Phishing)
Social media is the new favorite medium for cybercriminals to conduct their phishing attacks. The threats of social media can be account hijacking, impersonation attacks, scams, and malware distributing. However, detecting and mitigating these threats requires a longer time than detecting traditional methods as social media exists outside of the network perimeter. For example, the nation-state threat actors conducted an extensive series of social media attacks on Microsoft in 2014. Multiple Twitter accounts were affected by these attacks and passwords and emails for dozens of Microsoft employees were revealed ( Ramzan, 2010 ). According to Kaspersky Lab’s, the number of phishing attempts to visit fraudulent social network pages in the first quarter of 2018 was more than 3.7 million attempts, of which 60% were fake Facebook pages ( Raggo, 2016 ).
The new report from predictive email defense company Vade Secure about phishers’ favorites for quarter 1 and quarter 2 of 2019, stated that Soshing primarily on Facebook and Instagram saw a 74.7% increase that is the highest quarter-over- quarter growth of any industry ( VadeSecure, 2021 ).
Technical Subterfuge
Technical subterfuge is the act of tricking individuals into disclosing their sensitive information through technical subterfuge by downloading malicious code into the victim's system. Technical subterfuge can be classified into the following types:
Malware-Based Phishing
As the name suggests, this is a type of phishing attack which is conducted by running malicious software on a user’s machine. The malware is downloaded to the victim’s machine, either by one of the social engineering tricks or technically by exploiting vulnerabilities in the security system (e.g., browser vulnerabilities) ( Jakobsson and Myers, 2006 ). Panda malware is one of the successful malware programs discovered by Fox-IT Company in 2016. This malware targets Windows Operating Systems (OS). It spreads through phishing campaigns and its main attack vectors include web injects, screenshots of user activity (up to 100 per mouse click), logging of keyboard input, Clipboard pastes (to grab passwords and paste them into form fields), and exploits to the Virtual Network Computing (VNC) desktop sharing system. In 2018, Panda malware expanded its targets to include cryptocurrency exchanges and social media sites ( F5Networks, 2018 ). There are many forms of Malware-based phishing attacks; some of them are discussed below:
Key Loggers and Screen Loggers
Loggers are the type of malware used by phishers and installed either through Trojan horse email attachments or through direct download to the user’s personal computer. This software monitors data and records user keystrokes and then sends it to the phisher. Phisher uses the key loggers to capture sensitive information related to victims, such as names, addresses, passwords, and other confidential data. Key loggers can also be used for non-phishing purposes such as to monitor a child's use of the internet. Key loggers can also be implemented in many other ways such as detecting URL changes and logs information as Browser Helper Object (BHO) that enables the attacker to take control of the features of all IE’s, monitoring keyboard and mouse input as a device driver and, monitoring users input and displays as a screen logger ( Jakobsson and Myers, 2006 ).
Viruses and Worms
A virus is a type of malware, which is a piece of code spreading in another application or program by making copies of itself in a self-automated manner ( Jakobsson and Myers, 2006 ; F5Networks, 2018 ). Worms are similar to viruses but they differ in the execution manner, as worms are executed by exploiting the operating systems vulnerability without the need to modify another program. Viruses transfer from one computer to another with the document that they are attached to, while worms transfer through the infected host file. Both viruses and worms can cause data and software damaging or Denial-of-Service (DoS) conditions ( F5Networks, 2018 ).
Spying software is a malicious code designed to track the websites visited by users in order to steal sensitive information and conduct a phishing attack. Spyware can be delivered through an email and, once it is installed on the computer, take control over the device and either change its settings or gather information such as passwords and credit card numbers or banking records which can be used for identity theft ( Jakobsson and Myers, 2006 ).
Adware is also known as advertising-supported software ( Jakobsson and Myers, 2006 ). Adware is a type of malware that shows the user an endless pop-up window with ads that could harm the performance of the device. Adware can be annoying but most of it is safe. Some of the adware could be used for malicious purposes such as tracking the internet sites the user visits or even recording the user's keystrokes ( cisco, 2018 ).
Ransomware is a type of malware that encrypts the user's data after they run an executable program on the device. In this type of attack, the decryption key is held until the user pays a ransom (cisco, 2018). Ransomware is responsible for tens of millions of dollars in extortion annually. Worse still, this is hard to detect with developing new variants, facilitating the evasion of many antivirus and intrusion detection systems ( Latto, 2020 ). Ransomware is usually delivered to the victim's device through phishing emails. According to a report ( PhishMe, 2016 ), 93% of all phishing emails contained encryption ransomware. Phishing, as a social engineering attack, convinces victims into executing actions without knowing about the malicious program.
A rootkit is a collection of programs, typically malicious, that enables access to a computer or computer network. These toolsets are used by intruders to hide their actions from system administrators by modifying the code of system calls and changing the functionality ( Belcic, 2020 ). The term “rootkit” has negative connotations through its association with malware, and it is used by the attacker to alert existing system tools to escape detection. These kits enable individuals with little or no knowledge to launch phishing exploits. It contains coding, mass emailing software (possibly with thousands of email addresses included), web development software, and graphic design tools. An example of rootkits is the Kernel kit. Kernel-Level Rootkits are created by replacing portions of the core operating system or adding new code via Loadable Kernel Modules in (Linux) or device drivers (in Windows) ( Jakobsson and Myers, 2006 ).
Session Hijackers
In this type, the attacker monitors the user’s activities by embedding malicious software within a browser component or via network sniffing. The monitoring aims to hijack the session, so that the attacker performs an unauthorized action with the hijacked session such as financial transferring, without the user's permission ( Jakobsson and Myers, 2006 ).
Web Trojans
Web Trojans are malicious programs that collect user’s credentials by popping up in a hidden way over the login screen ( Jakobsson and Myers, 2006 ). When the user enters the credentials, these programs capture and transmit the stolen credentials directly to the attacker ( Jakobsson et al., 2007 ).
Hosts File Poisoning
This is a way to trick a user into going to the phisher’s site by poisoning (changing) the host’s file. When the user types a particular website address in the URL bar, the web address will be translated into a numeric (IP) address before visiting the site. The attacker, to take the user to a fake website for phishing purposes, will modify this file (e.g., DNS cache). This type of phishing is hard to detect even by smart and perceptive users ( Ollmann, 2004 ).
System Reconfiguration Attack
In this format of the phishing attack, the phisher manipulates the settings on a user’s computer for malicious activities so that the information on this PC will be compromised. System reconfigurations can be changed using different methods such as reconfiguring the operating system and modifying the user’s Domain Name System (DNS) server address. The wireless evil twin is an example of a system reconfiguration attack in which all user’s traffic is monitored via a malicious wireless Access Point (AP) ( Jakobsson and Myers, 2006 ).
Data theft is an unauthorized accessing and stealing of confidential information for a business or individuals. Data theft can be performed by a phishing email that leads to the download of a malicious code to the user's computer which in turn steals confidential information stored in that computer directly ( Jakobsson and Myers, 2006 ). Stolen information such as passwords, social security numbers, credit card information, sensitive emails, and other personal data could be used directly by a phisher or indirectly by selling it for different purposes.
Domain Name System Based Phishing (Pharming)
Any form of phishing that interferes with the domain name system so that the user will be redirected to the malicious website by polluting the user's DNS cache with wrong information is called DNS-based phishing. Although the host’s file is not a part of the DNS, the host’s file poisoning is another form of DNS based phishing. On the other hand, by compromising the DNS server, the genuine IP addresses will be modified which results in taking the user unwillingly to a fake location. The user can fall prey to pharming even when clicking on a legitimate link because the website’s domain name system (DNS) could be hijacked by cybercriminals ( Jakobsson and Myers, 2006 ).
Content Injection Phishing
Content-Injection Phishing refers to inserting false content into a legitimate site. This malicious content could misdirect the user into fake websites, leading users into disclosing their sensitive information to the hacker or it can lead to downloading malware into the user's device ( Jakobsson and Myers, 2006 ). The malicious content could be injected into a legitimate site in three primary ways:
1. Hacker exploits a security vulnerability and compromises a web server.
2. Hacker exploits a Cross-Site Scripting (XSS) vulnerability that is a programming flaw that enables attackers to insert client-side scripts into web pages, which will be viewed by the visitors to the targeted site.
3. Hacker exploits Structured Query Language (SQL) injection vulnerability, which allows hackers to steal information from the website’s database by executing database commands on a remote server.
Man-In-The-Middle Phishing
The Man In The Middle attack (MITM) is a form of phishing, in which the phishers insert communications between two parties (i.e. the user and the legitimate website) and tries to obtain the information from both parties by intercepting the victim’s communications ( Ollmann, 2004 ). Such that the message is going to the attacker instead of going directly to the legitimate recipients. For a MITM, the attacker records the information and misuse it later. The MITM attack conducts by redirecting the user to a malicious server through several techniques such as Address Resolution Protocol (ARP) poisoning, DNS spoofing, Trojan key loggers, and URL Obfuscation ( Jakobsson and Myers, 2006 ).
Search Engine Phishing
In this phishing technique, the phisher creates malicious websites with attractive offers and use Search Engine Optimization (SEO) tactics to have them indexed legitimately such that it appears to the user when searching for products or services. This is also known as black hat SEO ( Jakobsson and Myers, 2006 ).
URL and HTML Obfuscation Attacks
In most of the phishing attacks, phishers aim to convince a user to click on a given link that connects the victim to a malicious phishing server instead of the destination server. This is the most popular technique used by today's phishers. This type of attack is performed by obfuscating the real link (URL) that the user intends to connect (an attempt from the attacker to make their web address look like the legitimate one). Bad Domain Names and Host Name Obfuscation are common methods used by attackers to fake an address ( Ollmann, 2004 ).
Countermeasures
A range of solutions are being discussed and proposed by the researchers to overcome the problems of phishing, but still, there is no single solution that can be trusted or capable of mitigating these attacks ( Hong, 2012 ; Boddy, 2018 ; Chanti and Chithralekha, 2020 ). The proposed phishing countermeasures in the literature can be categorized into three major defense strategies. The first line of defense is human-based solutions by educating end-users to recognize phishing and avoid taking the bait. The second line of defense is technical solutions that involve preventing the attack at early stages such as at the vulnerability level to prevent the threat from materializing at the user's device, which means decreasing the human exposure, and detecting the attack once it is launched through the network level or at the end-user device. This also includes applying specific techniques to track down the source of the attack (for example these could include identification of new domains registered that are closely matched with well-known domain names). The third line of defense is the use of law enforcement as a deterrent control. These approaches can be combined to create much stronger anti-phishing solutions. The above solutions are discussed in detail below.
Human Education (Improving User Awareness About Phishing)
Human education is by far an effective countermeasure to avoid and prevent phishing attacks. Awareness and human training are the first defense approach in the proposed methodology for fighting against phishing even though it does not assume complete protection ( Hong, 2012 ). End-user education reduces user's susceptibility to phishing attacks and compliments other technical solutions. According to the analysis carried out in ( Bailey et al., 2008 ), 95% of phishing attacks are caused due to human errors; nonetheless, existing phishing detection training is not enough for combating current sophisticated attacks. In the study presented by Khonji et al. (2013) , security experts contradict the effectiveness and usability of user education. Furthermore, some security experts claim that user education is not effective as security is not the main goal for users and users do not have a motivation to educate themselves about phishing ( Scaife et al., 2016 ), while others confirm that user education could be effective if designed properly ( Evers, 2006 ; Whitman and Mattord, 2012 ). Moreover, user training has been mentioned by many researchers as an effective way to protect users when they are using online services ( Dodge et al., 2007 ; Salem et al., 2010 ; Chanti and Chithralekha, 2020 ). To detect and avoid phishing emails, a combined training approach was proposed by authors in the study ( Salem et al., 2010 ). The proposed solution uses a combination of tools and human learning, wherein a security awareness program is introduced to the user as a first step. The second step is using an intelligent system that detects the attacks at the email level. After that, the emails are classified by a fuzzy logic-based expert system. The main critic of this method is that the study chooses only limited characteristics of the emails as distinguishing features ( Kumaraguru et al., 2010 ; CybintCyberSolutions, 2018 ). Moreover, the majority of phishing training programs focus on how to recognize and avoid phishing emails and websites while other threatening phishing types receive less attention such as voice phishing and malware or adware phishing. The authors in ( Salem et al., 2010 ) found that the most used solutions in educating people are not useful if they ignore the notifications/warnings about fake websites. Training users should involve three major directions: the first one is awareness training through holding seminars or online courses for both employees within organizations or individuals. The second one is using mock phishing attacks to attack people to test users’ vulnerability and allow them to assess their own knowledge about phishing. However, only 38% of global organizations claim they are prepared to handle a sophisticated cyber-attack ( Kumaraguru et al., 2010 ). Wombat Security’s State of the Phish™ Report 2018 showed that approximately two-fifths of American companies use computer-based online awareness training and simulated phishing attacks as educating tools on a monthly basis, while just 15% of United Kingdom firms do so ( CybintCyberSolutions, 2018 ). The third direction is educating people by developing games to teach people about phishing. The game developer should take into consideration different aspects before designing the game such as audience age and gender, because people's susceptibility to phishing is varying. Authors in the study ( Sheng et al., 2007 ) developed a game to train users so that they can identify phishing attacks called Anti-Phishing Phil that teaches about phishing web pages, and then tests users about the efficiency and effectiveness of the game. The results from the study showed that the game participants improve their ability to identify phishing by 61% indicating that interactive games might turn out to be a joyful way of educating people. Although, user’s education and training can be very effective to mitigate security threats, phishing is becoming more complex and cybercriminals can fool even the security experts by creating convincing spear phishing emails via social media. Therefore, individual users and employees must have at least basic knowledge about dealing with suspicious emails and report it to IT staff and specific authorities. In addition, phishers change their strategies continuously, which makes it harder for organizations, especially small/medium enterprises to afford the cost of their employee education. With millions of people logging on to their social media accounts every day, social media phishing is phishers' favorite medium to deceive their victims. For example, phishers are taking advantage of the pervasiveness of Facebook to set up creative phishing attacks utilizing the Facebook Login feature that enables the phisher to compromise all the user's accounts with the same credentials (VadeSecure). Some countermeasures are taken by Social networks to reduce suspicious activities on social media such as Two-Factor authentication for logging in, that is required by Facebook, and machine-learning techniques used by Snapchat to detect and prevent suspicious links sent within the app ( Corrata, 2018 ). However, countermeasures to control Soshing and phone phishing attacks might include:
• Install anti-virus, anti-spam software as a first action and keep it up to date to detect and prevent any unauthorized access.
• Educate yourself about recent information on phishing, the latest trends, and countermeasures.
• Never click on hyperlinks attached to a suspicious email, post, tweet, direct message.
• Never trust social media, do not give any sensitive information over the phone or non-trusted account. Do not accept friend requests from people you do not know.
• Use a unique password for each account.
Training and educating users is an effective anti-phishing countermeasure and has already shown promising initial results. The main downside of this solution is that it demands high costs ( Dodge et al., 2007 ). Moreover, this solution requires basic knowledge in computer security among trained users.
Technical Solutions
The proposed technical solutions for detecting and blocking phishing attacks can be divided into two major approaches: non-content based solutions and content-based solutions ( Le et al., 2006 ; Bin et al., 2010 ; Boddy, 2018 ). Both approaches are briefly described in this section. Non-content based methods include blacklists and whitelists that classify the fake emails or webpages based on the information that is not part of the email or the webpage such as URL and domain name features ( Dodge et al., 2007 ; Ma et al., 2009 ; Bin et al., 2010 ; Salem et al., 2010 ). Stopping the phishing sites using blacklist and whitelist approaches, wherein a list of known URLs and sites is maintained, the website under scrutiny is checked against such a list in order to be classified as a phishing or legitimate site. The downside of this approach is that it will not identify all phishing websites. Because once a phishing site is taken down, the phisher can easily register a new domain ( Miyamoto et al., 2009 ). Content-based methods classify the page or the email relying on the information within its content such as texts, images, and also HTML, java scripts, and Cascading Style Sheets (CSS) codes ( Zhang et al., 2007 ; Maurer and Herzner, 2012 ). Content-based solutions involve Machine Learning (ML), heuristics, visual similarity, and image processing methods ( Miyamoto et al., 2009 ; Chanti and Chithralekha, 2020 ). and finally, multifaceted methods, which apply a combination of the previous approaches to detect and prevent phishing attacks ( Afroz and Greenstadt, 2009 ). For email filtering, ML techniques are commonly used for example in 2007, the first email phishing filter was developed by authors in ( Fette et al., 2007 ). This technique uses a set of features such as URLs that use different domain names. Spam filtering techniques ( Cormack et al., 2011 ) and statistical classifiers ( Bergholz et al., 2010 ) are also used to identify a phishing email. Authentication and verification technologies are also used in spam email filtering as an alternative to heuristics methods. For example, the Sender Policy Framework (SPF) verifies whether a sender is valid when accepting mail from a remote mail server or email client ( Deshmukh and raddha Popat, 2017 ).
The technical solutions for Anti-phishing are available at different levels of the delivery chain such as mail servers and clients, Internet Service Providers (ISPs), and web browser tools. Drawing from the proposed anatomy for phishing attacks in Proposed Phishing Anatomy , authors categorize technical solutions into the following approaches:
1. Techniques to detect the attack after it has been launched. Such as by scanning the web to find fake websites. For example, content-based phishing detection approaches are heavily deployed on the Internet. The features from the website elements such as Image, URL, and text content are analyzed using Rule-based approaches and Machine Learning that examine the presence of special characters (@), IP addresses instead of the domain name, prefix/suffix, HTTPS in domain part and other features ( Jeeva and Rajsingh, 2016 ). Fuzzy Logic (FL) has also been used as an anti-phishing model to help classify websites into legitimate or ‘phishy’ as this model deals with intervals rather than specific numeric values ( Aburrous et al., 2008 ).
2. Techniques to prevent the attack from reaching the user's system. Phishing prevention is an important step to defend against phishing by blocking a user from seeing and dealing with the attack. In email phishing, anti-spam software tools can block suspicious emails. Phishers usually send a genuine look-alike email that dupes the user to open an attachment or click on a link. Some of these emails pass the spam filter because phishers use misspelled words. Therefore, techniques that detect fake emails by checking the spelling and grammar correction are increasingly used, so that it can prevent the email from reaching the user's mailbox. Authors in the study ( Fette et al., 2007 ) have developed a new classification algorithm based on the Random Forest algorithm after exploring email phishing utilizing the C4.5 decision tree generator algorithm. The developed method is called "Phishing Identification by Learning on Features of Email Received" (PILFER), which can classify phishing email depending on various features such as IP based URLs, the number of links in the HTML part(s) of an email, the number of domains, the number of dots, nonmatching URLs, and availability of JavaScripts. The developed method showed high accuracy in detecting phishing emails ( Afroz and Greenstadt, 2009 ).
3. Corrective techniques that can take down the compromised website, by requesting the website's Internet Service Provider (ISP) to shut down the fake website in order to prevent more users from falling victims to phishing ( Moore and Clayton, 2007 ; Chanti and Chithralekha, 2020 ). ISPs are responsible for taking down fake websites. Removing the compromised and illegal websites is a complex process; many entities are involved in this process from private companies, self-regulatory bodies, government agencies, volunteer organizations, law enforcement, and service providers. Usually, illegal websites are taken down by Takedown Orders, which are issued by courts or in some jurisdictions by law enforcement. On the other hand, these can be voluntarily taken down by the providers themselves as a result of issued takedown notices ( Moore and Clayton, 2007 ; Hutchings et al., 2016 ). According to PHISHLABS ( PhishLabs, 2019 ) report, taking down phishing sites is helpful but it is not completely effective as these sites can still be alive for days stealing customers' credentials before detecting the attack.
4. Warning tools or security indicators that embedded into the web browser to inform the user after detecting the attack. For example, eBay Toolbar and Account Guard ( eBay Toolbar and Account Guard, 2009 ) protect customer’s eBay and PayPal passwords respectively by alerting the users about the authenticity of the sites that users try to type the password in. Numerous anti-phishing solutions rely mainly on warnings that are displayed on the security toolbar. In addition, some toolbars block suspicious sites to warn about it such as McAfee and Netscape. A study presented in ( Robichaux and Ganger, 2006 ) conducted a test to evaluate the performance of eight anti-phishing solutions, including Microsoft Internet Explorer 7, EarthLink, eBay, McAfee, GeoTrust, Google using Firefox, Netscape, and Netcraft. These tools are warning and blocking tools that allow legitimate sites while block and warn about known phishing sites. The study also found that Internet Explorer and Netcraft Toolbar showed the most effective results than other anti-phishing tools. However, security toolbars are still failing to avoid people falling victim to phishing despite these toolbars improving internet security in general ( Abu-Nimeh and Nair, 2008 ).
5. Authentication ( Moore and Clayton, 2007 ) and authorization ( Hutchings et al., 2016 ) techniques that provide protection from phishing by verifying the identity of the legitimate person. This prevents phishers from accessing a protected resource and conducting their attack. There are three types of authentication; single-factor authentication requires only username and password. The second type is two-factor authentication that requires additional information in addition to the username and password such as an OTP (One-Time Password) which is sent to the user’s email id or phone. The third type is multi-factor authentication using more than one form of identity (i.e., a combination of something you know, something you are, and something you have). Some widely used methods in the authorization process are API authorization and OAuth 2.0 that allow the previously generated API to access the system.
However, the progressive increase in phishing attacks shows that previous methods do not provide the required protection against most existing phishing attacks. Because no single solution or technology could prevent all phishing attacks. An effective anti-phishing solution should be based on a combination of technical solutions and increased user awareness ( Boddy, 2018 ).
Solutions Provided by Legislations as a Deterrent Control
A cyber-attack is considered a crime when an individual intentionally accesses personal information on a computer without permission, even if the individual does not steal information or damage the system ( Mince-Didier, 2020 ). Since the sole objective of almost all phishing attacks is to obtain sensitive information by knowingly intending to commit identity theft, and while there are currently no federal laws in the United States aimed specifically at phishing, therefore, phishing crimes are usually covered under identity theft laws. Phishing is considered a crime even if the victim does not actually fall for the phishing scam, the punishments depend on circumstances and usually include jail, fines, restitution, probation ( Nathan, 2020 ). Phishing attacks are causing different levels of damages to the victims such as financial and reputational losses. Therefore, law enforcement authorities should track down these attacks in order to punish the criminal as with real-world crimes. As a complement to technical solutions and human education, the support provided by applicable laws and regulations can play a vital role as a deterrent control. Increasingly authorities around the world have created several regulations in order to mitigate the increase of phishing attacks and their impact. The first anti-phishing laws were enacted by the United States, where the FTC in the US added the phishing attacks to the computer crime list in January 2004. A year later, the ‘‘Anti-Phishing Act’’ was introduced in the US Congress in March 2005 ( Mohammad et al., 2014 ). Meanwhile, in the United Kingdom, the law legislation is gradually conforming to address phishing and other forms of cyber-crime. In 2006, the United Kingdom government improved the Computer Misuse Act 1990 intending to bring it up to date with developments in computer crime and to increase penalties for breach enacted penalties of up to 10 years ( eBay Toolbar and Account Guard, 2009 ; PhishLabs, 2019 ). In this regard, a student in the United Kingdom who made hundreds of thousands of pounds blackmailing pornography website users was jailed in April 2019 for six years and five months. According to the National Crime Agency (NCA), this attacker was the most prolific cybercriminal to be sentenced in the United Kingdom ( Casciani, 2019 ). Moreover, the organizations bear part of the responsibility in protecting personal information as stated in the Data Protection Act 2018 and EU General Data Protection Regulation (GDPR). Phishing websites also can be taken down through Law enforcement agencies' conduct. In the United Kingdom, websites can be taken down by the National Crime Agency (NCA), which includes the National Cyber Crime Unit, and by the City of London Police, which includes the Police Intellectual Property Crime Unit (PIPCU) and the National Fraud Intelligence Bureau (NFIB) ( Hutchings et al., 2016 ).
However, anti-phishing law enforcement is still facing numerous challenges and limitations. Firstly, after perpetrating the phishing attack, the phisher can vanish in cyberspace making it difficult to prove the guilt attributed to the offender and to recover the damages caused by the attack, limiting the effectiveness of the law enforcement role. Secondly, even if the attacker’s identity is disclosed in the case of international attackers, it will be difficult to bring this attacker to justice because of the differences in countries' legislations (e.g., exchange treaties). Also, the attack could be conducted within a short time span, for instance, the average lifetime for a phishing web site is about 54 h as stated by the APWG, therefore, there must be a quick response from the government and the authorities to detect, control and identify the perpetrators of the attack ( Ollmann, 2004 ).
Phishing attacks remain one of the major threats to individuals and organizations to date. As highlighted in the article, this is mainly driven by human involvement in the phishing cycle. Often phishers exploit human vulnerabilities in addition to favoring technological conditions (i.e., technical vulnerabilities). It has been identified that age, gender, internet addiction, user stress, and many other attributes affect the susceptibility to phishing between people. In addition to traditional phishing channels (e.g., email and web), new types of phishing mediums such as voice and SMS phishing are on the increase. Furthermore, the use of social media-based phishing has increased in use in parallel with the growth of social media. Concomitantly, phishing has developed beyond obtaining sensitive information and financial crimes to cyber terrorism, hacktivism, damaging reputations, espionage, and nation-state attacks. Research has been conducted to identify the motivations and techniques and countermeasures to these new crimes, however, there is no single solution for the phishing problem due to the heterogeneous nature of the attack vector. This article has investigated problems presented by phishing and proposed a new anatomy, which describes the complete life cycle of phishing attacks. This anatomy provides a wider outlook for phishing attacks and provides an accurate definition covering end-to-end exclusion and realization of the attack.
Although human education is the most effective defense for phishing, it is difficult to remove the threat completely due to the sophistication of the attacks and social engineering elements. Although, continual security awareness training is the key to avoid phishing attacks and to reduce its impact, developing efficient anti-phishing techniques that prevent users from being exposed to the attack is an essential step in mitigating these attacks. To this end, this article discussed the importance of developing anti-phishing techniques that detect/block the attack. Furthermore, the importance of techniques to determine the source of the attack could provide a stronger anti-phishing solution as discussed in this article.
Furthermore, this article identified the importance of law enforcement as a deterrent mechanism. Further investigations and research are necessary as discussed below.
1. Further research is necessary to study and investigate susceptibility to phishing among users, which would assist in designing stronger and self-learning anti-phishing security systems.
2. Research on social media-based phishing, Voice Phishing, and SMS Phishing is sparse and these emerging threats are predicted to be significantly increased over the next years.
3. Laws and legislations that apply for phishing are still at their infant stage, in fact, there are no specific phishing laws in many countries. Most of the phishing attacks are covered under traditional criminal laws such as identity theft and computer crimes. Therefore, drafting of specific laws for phishing is an important step in mitigating these attacks in a time where these crimes are becoming more common.
4. Determining the source of the attack before the end of the phishing lifecycle and enforcing law legislation on the offender could help in restricting phishing attacks drastically and would benefit from further research.
It can be observed that the mediums used for phishing attacks have changed from traditional emails to social media-based phishing. There is a clear lag between sophisticated phishing attacks and existing countermeasures. The emerging countermeasures should be multidimensional to tackle both human and technical elements of the attack. This article provides valuable information about current phishing attacks and countermeasures whilst the proposed anatomy provides a clear taxonomy to understand the complete life cycle of phishing.
Author Contributions
This work is by our PhD student ZA supported by her Supervisory Team.
Conflict of Interest
The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
AOL America Online
APWG Anti Phishing Working Group Advanced
APRANET Advanced Research Projects Agency Network.
ARP address resolution protocol.
BHO Browser Helper Object
BEC business email compromise
COVID-19 Coronavirus disease 2019
CSS cascading style sheets
DDoS distributed denial of service
DNS Domain Name System
DoS Denial of Service
FTC Federal Trade Commission
FL Fuzzy Logic
HTTPS Hypertext Transfer Protocol Secure
IE Internet Explorer
ICT Information and Communications Technology
IM Instant Message
IT Information Technology
IP Internet Protocol
MITM Man-in-the-Middle
NCA National Crime Agency
NFIB National Fraud Intelligence Bureau
PIPCU Police Intellectual Property Crime Unit
OS Operating Systems
PBX Private Branch Exchange
SMishing Text Message Phishing
SPF Sender Policy Framework
SMTP Simple Mail Transfer Protocol
SMS Short Message Service
Soshing Social Media Phishing
SQL structured query language
URL Uniform Resource Locator
UK United Kingdom
US United States
USB Universal Serial Bus
US-CERT United States Computer Emergency Readiness Team.
Vishing Voice Phishing
VNC Virtual Network Computing
VoIP Voice over Internet Protocol
XSS Cross-Site Scripting
1 Proofpoint is “a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions”( Proofpoint, 2019b ).
2 APWG Is “the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities” ( APWG, 2020 ).
3 CalleR ID is “a telephone facility that displays a caller’s phone number on the recipient's phone device before the call is answered” ( Techpedia, 2021 ).
4 An IPPBX is “a telephone switching system within an enterprise that switches calls between VoIP users on local lines while allowing all users to share a certain number of external phone lines” ( Margaret, 2008 ).
Abad, C. (2005). The economy of phishing: a survey of the operations of the phishing market. First Monday 10, 1–11. doi:10.5210/fm.v10i9.1272
CrossRef Full Text | Google Scholar
Abu-Nimeh, S., and Nair, S. (2008). “Bypassing security toolbars and phishing filters via dns poisoning,” in IEEE GLOBECOM 2008–2008 IEEE global telecommunications conference , New Orleans, LA , November 30–December 2, 2008 ( IEEE) , 1–6. doi:10.1109/GLOCOM.2008.ECP.386
Aburrous, M., Hossain, M. A., Thabatah, F., and Dahal, K. (2008). “Intelligent phishing website detection system using fuzzy techniques,” in 2008 3rd international conference on information and communication technologies: from theory to applications (New York, NY: IEEE , 1–6. doi:10.1109/ICTTA.2008.4530019
Afroz, S., and Greenstadt, R. (2009). “Phishzoo: an automated web phishing detection approach based on profiling and fuzzy matching,” in Proceeding 5th IEEE international conference semantic computing (ICSC) , 1–11.
Google Scholar
Alsharnouby, M., Alaca, F., and Chiasson, S. (2015). Why phishing still works: user strategies for combating phishing attacks. Int. J. Human-Computer Stud. 82, 69–82. doi:10.1016/j.ijhcs.2015.05.005
APWG (2018). Phishing activity trends report 3rd quarter 2018 . US. 1–11.
APWG (2020). APWG phishing attack trends reports. 2020 anti-phishing work. Group, Inc Available at: https://apwg.org/trendsreports/ (Accessed September 20, 2020).
Arachchilage, N. A. G., and Love, S. (2014). Security awareness of computer users: a phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312. doi:10.1016/j.chb.2014.05.046
Arnsten, B. A., Mazure, C. M., and April, R. S. (2012). Everyday stress can shut down the brain’s chief command center. Sci. Am. 306, 1–6. Available at: https://www.scientificamerican.com/article/this-is-your-brain-in-meltdown/ (Accessed October 15, 2019).
Bailey, J. L., Mitchell, R. B., and Jensen, B. k. (2008). “Analysis of student vulnerabilities to phishing,” in 14th americas conference on information systems, AMCIS 2008 , 75–84. Available at: https://aisel.aisnet.org/amcis2008/271 .
Barracuda (2020). Business email compromise (BEC). Available at: https://www.barracuda.com/glossary/business-email-compromise (Accessed November 15, 2020).
Belcic, I. (2020). Rootkits defined: what they do, how they work, and how to remove them. Available at: https://www.avast.com/c-rootkit (Accessed November 7, 2020).
Bergholz, A., De Beer, J., Glahn, S., Moens, M.-F., Paaß, G., and Strobel, S. (2010). New filtering approaches for phishing email. JCS 18, 7–35. doi:10.3233/JCS-2010-0371
Bin, S., Qiaoyan, W., and Xiaoying, L. (2010). “A DNS based anti-phishing approach.” in 2010 second international conference on networks security, wireless communications and trusted computing , Wuhan, China , April 24–25, 2010 . ( IEEE ), 262–265. doi:10.1109/NSWCTC.2010.196
Boddy, M. (2018). Phishing 2.0: the new evolution in cybercrime. Comput. Fraud Secur. 2018, 8–10. doi:10.1016/S1361-3723(18)30108-8
Casciani, D. (2019). Zain Qaiser: student jailed for blackmailing porn users worldwide. Available at: https://www.bbc.co.uk/news/uk-47800378 (Accessed April 9, 2019).
Chanti, S., and Chithralekha, T. (2020). Classification of anti-phishing solutions. SN Comput. Sci. 1, 11. doi:10.1007/s42979-019-0011-2
Checkpoint (2020). Check point research’s Q1 2020 brand phishing report. Available at: https://www.checkpoint.com/press/2020/apple-is-most-imitated-brand-for-phishing-attempts-check-point-researchs-q1-2020-brand-phishing-report/ (Accessed August 6, 2020).
cisco (2018). What is the difference: viruses, worms, Trojans, and bots? Available at: https://www.cisco.com/c/en/us/about/security-center/virus-differences.html (Accessed January 20, 2020).
CISA (2018). What is phishing. Available at: https://www.us-cert.gov/report-phishing (Accessed June 10, 2019).
Cormack, G. V., Smucker, M. D., and Clarke, C. L. A. (2011). Efficient and effective spam filtering and re-ranking for large web datasets. Inf. Retrieval 14, 441–465. doi:10.1007/s10791-011-9162-z
Corrata (2018). The rising threat of social media phishing attacks. Available at: https://corrata.com/the-rising-threat-of-social-media-phishing-attacks/%0D (Accessed October 29, 2019).
Crane, C. (2019). The dirty dozen: the 12 most costly phishing attack examples. Available at: https://www.thesslstore.com/blog/the-dirty-dozen-the-12-most-costly-phishing-attack-examples/#:∼:text=At some level%2C everyone is susceptible to phishing,outright trick you into performing a particular task (Accessed August 2, 2020).
CSI Onsite (2012). Phishing. Available at: http://csionsite.com/2012/phishing/ (Accessed May 8, 2019).
Cui, Q., Jourdan, G.-V., Bochmann, G. V., Couturier, R., and Onut, I.-V. (2017). Tracking phishing attacks over time. Proc. 26th Int. Conf. World Wide Web - WWW ’17 , Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee . 667–676. doi:10.1145/3038912.3052654
CVEdetails (2005). Vulnerability in microsoft internet explorer. Available at: https://www.cvedetails.com/cve/CVE-2005-4089/ (Accessed August 20, 2019).
Cybint Cyber Solutions (2018). 13 alarming cyber security facts and stats. Available at: https://www.cybintsolutions.com/cyber-security-facts-stats/ (Accessed July 20, 2019).
Deshmukh, M., and raddha Popat, S. (2017). Different techniques for detection of phishing attack. Int. J. Eng. Sci. Comput. 7, 10201–10204. Available at: http://ijesc.org/ .
Dhamija, R., Tygar, J. D., and Hearst, M. (2006). “Why phishing works,” in Proceedings of the SIGCHI conference on human factors in computing systems - CHI ’06 , Montréal Québec, Canada , (New York, NY: ACM Press ), 581. doi:10.1145/1124772.1124861
Diaz, A., Sherman, A. T., and Joshi, A. (2020). Phishing in an academic community: a study of user susceptibility and behavior. Cryptologia 44, 53–67. doi:10.1080/01611194.2019.1623343
Dodge, R. C., Carver, C., and Ferguson, A. J. (2007). Phishing for user security awareness. Comput. Security 26, 73–80. doi:10.1016/j.cose.2006.10.009
eBay Toolbar and Account Guard (2009). Available at: https://download.cnet.com/eBay-Toolbar/3000-12512_4-10153544.html (Accessed August 7, 2020).
EDUCBA (2017). Hackers vs crackers: easy to understand exclusive difference. Available at: https://www.educba.com/hackers-vs-crackers/ (Accessed July 17, 2019).
Evers, J. (2006). Security expert: user education is pointless. Available at: https://www.cnet.com/news/security-expert-user-education-is-pointless/ (Accessed June 25, 2019).
F5Networks (2018). Panda malware broadens targets to cryptocurrency exchanges and social media. Available at: https://www.f5.com/labs/articles/threat-intelligence/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media (Accessed April 23, 2019).
Fette, I., Sadeh, N., and Tomasic, A. (2007). “Learning to detect phishing emails,” in Proceedings of the 16th international conference on world wide web - WWW ’07 , Banff Alberta, Canada , (New York, NY: ACM Press) , 649–656. doi:10.1145/1242572.1242660
Financial Fraud Action UK (2017). Fraud the facts 2017: the definitive overview of payment industry fraud. London. Available at: https://www.financialfraudaction.org.uk/fraudfacts17/assets/fraud_the_facts.pdf .
Fraud Watch International (2019). Phishing attack trends for 2019. Available at: https://fraudwatchinternational.com/phishing/phishing-attack-trends-for-2019/ (Accessed October 29, 2019).
FTC (2018). Netflix scam email. Available at: https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/phishing (Accessed May 8, 2019).
Furnell, S. (2007). An assessment of website password practices). Comput. Secur. 26, 445–451. doi:10.1016/j.cose.2007.09.001
Getsafeonline (2017). Caught on the net. Available at: https://www.getsafeonline.org/news/caught-on-the-net/%0D (Accessed August 1, 2020).
GOV.UK (2020). Cyber security breaches survey 2020. Available at: https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020 (Accessed August 6, 2020).
Gupta, P., Srinivasan, B., Balasubramaniyan, V., and Ahamad, M. (2015). “Phoneypot: data-driven understanding of telephony threats,” in Proceedings 2015 network and distributed system security symposium , (Reston, VA: Internet Society ), 8–11. doi:10.14722/ndss.2015.23176
Hadlington, L. (2017). Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon 3, e00346-18. doi:10.1016/j.heliyon.2017.e00346
Herley, C., and Florêncio, D. (2008). “A profitless endeavor,” in New security paradigms workshop (NSPW ’08) , New Hampshire, United States , October 25–28, 2021 , 1–12. doi:10.1145/1595676.1595686
Hewage, C. (2020). Coronavirus pandemic has unleashed a wave of cyber attacks – here’s how to protect yourself. Conversat . Available at: https://theconversation.com/coronavirus-pandemic-has-unleashed-a-wave-of-cyber-attacks-heres-how-to-protect-yourself-135057 (Accessed November 16, 2020).
Hong, J. (2012). The state of phishing attacks. Commun. ACM 55, 74–81. doi:10.1145/2063176.2063197
Huber, M., Kowalski, S., Nohlberg, M., and Tjoa, S. (2009). “Towards automating social engineering using social networking sites,” in 2009 international conference on computational science and engineering , Vancouver, BC , August 29–31, 2009 ( IEEE , 117–124. doi:10.1109/CSE.2009.205
Hutchings, A., Clayton, R., and Anderson, R. (2016). “Taking down websites to prevent crime,” in 2016 APWG symposium on electronic crime research (eCrime) ( IEEE ), 1–10. doi:10.1109/ECRIME.2016.7487947
Iuga, C., Nurse, J. R. C., and Erola, A. (2016). Baiting the hook: factors impacting susceptibility to phishing attacks. Hum. Cent. Comput. Inf. Sci. 6, 8. doi:10.1186/s13673-016-0065-2
Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. (2007). Social phishing. Commun. ACM 50, 94–100. doi:10.1145/1290958.1290968
Jakobsson, M., and Myers, S. (2006). Phishing and countermeasures: understanding the increasing problems of electronic identity theft . New Jersey: John Wiley and Sons .
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., and Lim, Y. K. (2007). “What instills trust? A qualitative study of phishing,” in Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics) , (Berlin, Heidelberg: Springer ), 356–361. doi:10.1007/978-3-540-77366-5_32
Jeeva, S. C., and Rajsingh, E. B. (2016). Intelligent phishing url detection using association rule mining. Hum. Cent. Comput. Inf. Sci. 6, 10. doi:10.1186/s13673-016-0064-3
Johnson, A. (2016). Almost 600 accounts breached in “celebgate” nude photo hack, FBI says. Available at: http://www.cnbc.com/id/102747765 (Accessed: February 17, 2020).
Kayne, R. (2019). What are script kiddies? Wisegeek. Available at: https://www.wisegeek.com/what-are-script-kiddies.htm V V February 19, 2020).
Keck, C. (2018). FTC warns of sketchy Netflix phishing scam asking for payment details. Available at: https://gizmodo.com/ftc-warns-of-sketchy-netflix-phishing-scam-asking-for-p-1831372416 (Accessed April 23, 2019).
Keepnet LABS (2018). Statistical analysis of 126,000 phishing simulations carried out in 128 companies around the world. USA, France. Available at: www.keepnetlabs.com .
Keinan, G. (1987). Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. J. Personal. Soc. Psychol. 52, 639–644. doi:10.1037/0022-3514.52.3.639
Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing detection: a literature survey. IEEE Commun. Surv. Tutorials 15, 2091–2121. doi:10.1109/SURV.2013.032213.00009
Kirda, E., and Kruegel, C. (2005). Protecting users against phishing attacks with AntiPhish. Proc. - Int. Comput. Softw. Appl. Conf. 1, 517–524. doi:10.1109/COMPSAC.2005.126
Krawchenko, K. (2016). The phishing email that hacked the account of John Podesta. CBSNEWS Available at: https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/ (Accessed April 13, 2019).
Ksepersky (2020). Spam and phishing in Q1 2020. Available at: https://securelist.com/spam-and-phishing-in-q1-2020/97091/ (Accessed July 27, 2020).
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10, 1–31. doi:10.1145/1754393.1754396
Latto, N. (2020). What is adware and how can you prevent it? Avast. Available at: https://www.avast.com/c-adware (Accessed May 8, 2020).
Le, D., Fu, X., and Hogrefe, D. (2006). A review of mobility support paradigms for the internet. IEEE Commun. Surv. Tutorials 8, 38–51. doi:10.1109/COMST.2006.323441
Lehman, T. J., and Vajpayee, S. (2011). “We’ve looked at clouds from both sides now,” in 2011 annual SRII global conference , San Jose, CA , March 20–April 2, 2011 , ( IEEE , 342–348. doi:10.1109/SRII.2011.46
Leyden, J. (2001). Virus toolkits are s’kiddie menace. Regist . Available at: https://www.theregister.co.uk/2001/02/21/virus_toolkits_are_skiddie_menace/%0D (Accessed June 15, 2019).
Lin, J., Sadeh, N., Amini, S., Lindqvist, J., Hong, J. I., and Zhang, J. (2012). “Expectation and purpose,” in Proceedings of the 2012 ACM conference on ubiquitous computing - UbiComp ’12 (New York, New York, USA: ACM Press ), 1625. doi:10.1145/2370216.2370290
Lininger, R., and Vines, D. R. (2005). Phishing: cutting the identity theft line. Print book . Indiana: Wiley Publishing, Inc .
Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. (2009). “Identifying suspicious URLs.” in Proceedings of the 26th annual international conference on machine learning - ICML ’09 (New York, NY: ACM Press ), 1–8. doi:10.1145/1553374.1553462
Marforio, C., Masti, R. J., Soriente, C., Kostiainen, K., and Capkun, S. (2015). Personalized security indicators to detect application phishing attacks in mobile platforms. Available at: http://arxiv.org/abs/1502.06824 .
Margaret, R. I. P. (2008). PBX (private branch exchange). Available at: https://searchunifiedcommunications.techtarget.com/definition/IP-PBX (Accessed June 19, 2019).
Maurer, M.-E., and Herzner, D. (2012). Using visual website similarity for phishing detection and reporting. 1625–1630. doi:10.1145/2212776.2223683
Medvet, E., Kirda, E., and Kruegel, C. (2008). “Visual-similarity-based phishing detection,” in Proceedings of the 4th international conference on Security and privacy in communication netowrks - SecureComm ’08 (New York, NY: ACM Press ), 1. doi:10.1145/1460877.1460905
Merwe, A. v. d., Marianne, L., and Marek, D. (2005). “Characteristics and responsibilities involved in a Phishing attack, in WISICT ’05: proceedings of the 4th international symposium on information and communication technologies . Trinity College Dublin , 249–254.
Microsoft (2020). Exploiting a crisis: how cybercriminals behaved during the outbreak. Available at: https://www.microsoft.com/security/blog/2020/06/16/exploiting-a-crisis-how-cybercriminals-behaved-during-the-outbreak/ (Accessed August 1, 2020).
Mince-Didier, A. (2020). Hacking a computer or computer network. Available at: https://www.criminaldefenselawyer.com/resources/hacking-computer.html (Accessed August 7, 2020).
Miyamoto, D., Hazeyama, H., and Kadobayashi, Y. (2009). “An evaluation of machine learning-based methods for detection of phishing sites,” in international conference on neural information processing ICONIP 2008: advances in neuro-information processing lecture notes in computer science . Editors M. Köppen, N. Kasabov, and G. Coghill (Berlin, Heidelberg: Springer Berlin Heidelberg ), 539–546. doi:10.1007/978-3-642-02490-0_66
Mohammad, R. M., Thabtah, F., and McCluskey, L. (2014). Predicting phishing websites based on self-structuring neural network. Neural Comput. Applic 25, 443–458. doi:10.1007/s00521-013-1490-z
Moore, T., and Clayton, R. (2007). “Examining the impact of website take-down on phishing,” in Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit on - eCrime ’07 (New York, NY: ACM Press ), 1–13. doi:10.1145/1299015.1299016
Morgan, S. (2019). 2019 official annual cybercrime report. USA, UK, Canada. Available at: https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf .
Nathan, G. (2020). What is phishing? + laws, charges & statute of limitations. Available at: https://www.federalcharges.com/phishing-laws-charges/ (Accessed August 7, 2020).
Okin, S. (2009). From script kiddies to organised cybercrime. Available at: https://comsecglobal.com/from-script-kiddies-to-organised-cybercrime-things-are-getting-nasty-out-there/ (Accessed August 12, 2019).
Ollmann, G. (2004). The phishing guide understanding & preventing phishing attacks abstract. USA. Available at: http://www.ngsconsulting.com .
Ong, S. (2014). Avast survey shows men more susceptible to mobile malware. Available at: https://www.mirekusoft.com/avast-survey-shows-men-more-susceptible-to-mobile-malware/ (Accessed November 5, 2020).
Ovelgönne, M., Dumitraş, T., Prakash, B. A., Subrahmanian, V. S., and Wang, B. (2017). Understanding the relationship between human behavior and susceptibility to cyber attacks. ACM Trans. Intell. Syst. Technol. 8, 1–25. doi:10.1080/00207284.1985.11491413
Parmar, B. (2012). Protecting against spear-phishing. Computer Fraud Security , 2012, 8–11. doi:10.1016/S1361-3723(12)70007-6
Phish Labs (2019). 2019 phishing trends and intelligence report the growing social engineering threat. Available at: https://info.phishlabs.com/hubfs/2019 PTI Report/2019 Phishing Trends and Intelligence Report.pdf .
PhishMe (2016). Q1 2016 malware review. Available at: WWW.PHISHME.COM .
PhishMe (2017). Human phishing defense enterprise phishing resiliency and defense report 2017 analysis of susceptibility, resiliency and defense against simulated and real phishing attacks. Available at: https://cofense.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf .
PishTank (2006). What is phishing. Available at: http://www.phishtank.com/what_is_phishing.php?view=website&annotated=true (Accessed June 19, 2019).
Pompon, A. R., Walkowski, D., and Boddy, S. (2018). Phishing and Fraud Report attacks peak during the holidays. US .
Proofpoint (2019a). State of the phish 2019 report. Sport Mark. Q. 14, 4. doi:10.1038/sj.jp.7211019
Proofpoint (2019b). What is Proofpoint. Available at: https://www.proofpoint.com/us/company/about (Accessed September 25, 2019).
Proofpoint (2020). 2020 state of the phish. Available at: https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf .
Raggo, M. (2016). Anatomy of a social media attack. Available at: https://www.darkreading.com/analytics/anatomy-of-a-social-media-attack/a/d-id/1326680 (Accessed March 14, 2019).
Ramanathan, V., and Wechsler, H. (2012). PhishGILLNET-phishing detection methodology using probabilistic latent semantic analysis, AdaBoost, and co-training. EURASIP J. Info. Secur. 2012, 1–22. doi:10.1186/1687-417X-2012-1
Ramzan, Z. (2010). “Phishing attacks and countermeasures,” in Handbook of Information and communication security (Berlin, Heidelberg: Springer Berlin Heidelberg ), 433–448. doi:10.1007/978-3-642-04117-4_23
Ramzan, Z., and Wuest, C. (2007). “Phishing Attacks: analyzing trends in 2006,” in Fourth conference on email and anti-Spam (Mountain View , ( California, United States ).
Rhett, J. (2019). Don’t fall for this new Google translate phishing attack. Available at: https://www.gizmodo.co.uk/2019/02/dont-fall-for-this-new-google-translate-phishing-attack/ (Accessed April 23, 2019). doi:10.5040/9781350073272
RISKIQ (2020). Investigate | COVID-19 cybercrime weekly update. Available at: https://www.riskiq.com/blog/analyst/covid19-cybercrime-update/%0D (Accessed August 1, 2020).
Robichaux, P., and Ganger, D. L. (2006). Gone phishing: evaluating anti-phishing tools for windows. Available at: http://www.3sharp.com/projects/antiphishing/gonephishing.pdf .
Rouse, M. (2013). Phishing defintion. Available at: https://searchsecurity.techtarget.com/definition/phishing (Accessed April 10, 2019).
Salem, O., Hossain, A., and Kamala, M. (2010). “Awareness program and AI based tool to reduce risk of phishing attacks,” in 2010 10th IEEE international conference on computer and information technology (IEEE) , Bradford, United Kingdom , June 29–July 1, 2010, 2001 ( IEEE ), 1418–1423. doi:10.1109/CIT.2010.254
Scaife, N., Carter, H., Traynor, P., and Butler, K. R. B. (2016). “Crypto lock (and drop it): stopping ransomware attacks on user data,” in 2016 IEEE 36th international conference on distributed computing systems (ICDCS) ( IEEE , 303–312. doi:10.1109/ICDCS.2016.46
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al. (2007). “Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish,” in Proceedings of the 3rd symposium on usable privacy and security - SOUPS ’07 (New York, NY: ACM Press ), 88–99. doi:10.1145/1280680.1280692
Symantic, (2019). Internet security threat report volume 24|February 2019 . USA.
Techpedia (2021). Caller ID. Available at: https://www.techopedia.com/definition/24222/caller-id (Accessed June 19, 2019).
VadeSecure (2021). Phishers favorites 2019. Available at: https://www.vadesecure.com/en/ (Accessed October 29, 2019).
Vishwanath, A. (2005). “Spear phishing: the tip of the spear used by cyber terrorists,” in deconstruction machines (United States: University of Minnesota Press ), 469–484. doi:10.4018/978-1-5225-0156-5.ch023
Wang, X., Zhang, R., Yang, X., Jiang, X., and Wijesekera, D. (2008). “Voice pharming attack and the trust of VoIP,” in Proceedings of the 4th international conference on security and privacy in communication networks, SecureComm’08 , 1–11. doi:10.1145/1460877.1460908
Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., and Deng, X. (2005). “Detection of phishing webpages based on visual similarity,” in 14th international world wide web conference, WWW2005 , Chiba, Japan , May 10–14, 2005 , 1060–1061. doi:10.1145/1062745.1062868
Whitman, M. E., and Mattord, H. J. (2012). Principles of information security. Course Technol. 1–617. doi:10.1016/B978-0-12-381972-7.00002-6
Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. Int. J. Human-Computer Stud. 120, 1–13. doi:10.1016/j.ijhcs.2018.06.004
wombatsecurity.com (2018). Wombat security user risk report. USA. Available at: https://info.wombatsecurity.com/hubfs/WombatProofpoint-UserRiskSurveyReport2018_US.pdf .
Workman, M. (2008). Wisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inf. Sci. 59 (4), 662–674. doi:10.1002/asi.20779
Yeboah-Boateng, E. O., and Amanor, P. M. (2014). Phishing , SMiShing & vishing: an assessment of threats against mobile devices. J. Emerg. Trends Comput. Inf. Sci. 5 (4), 297–307.
Zhang, Y., Hong, J. I., and Cranor, L. F. (2007). “Cantina,” in Proceedings of the 16th international conference on World Wide Web - WWW ’07 (New York, NY: ACM Press ), 639. doi:10.1145/1242572.1242659
Zissis, D., and Lekkas, D. (2012). Addressing cloud computing security issues. Future Generat. Comput. Syst. 28, 583–592. doi:10.1016/j.future.2010.12.006
Keywords: phishing anatomy, precautionary countermeasures, phishing targets, phishing attack mediums, phishing attacks, attack phases, phishing techniques
Citation: Alkhalil Z, Hewage C, Nawaf L and Khan I (2021) Phishing Attacks: A Recent Comprehensive Study and a New Anatomy. Front. Comput. Sci. 3:563060. doi: 10.3389/fcomp.2021.563060
Received: 17 May 2020; Accepted: 18 January 2021; Published: 09 March 2021.
Reviewed by:
Copyright © 2021 Alkhalil, Hewage, Nawaf and Khan. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Chaminda Hewage, [email protected]
This article is part of the Research Topic
2021 Editor's Pick: Computer Science
THE UNIVERSITY OF COLORADO SYSTEM
- BOULDER CAMPUS
- Academic Programs
- Admissions Information
- Tuition Information
- Scholarships & Financial Aid
- COLORADO SPRINGS CAMPUS
- Scholarships & Financial Aid
- DENVER CAMPUS
- ANSCHUTZ MEDICAL CAMPUS
- Banking Services
- Merchant Services
- Treasury Pool
- Non-Pool Investments
- University Debt
- Housing Assistance Programs
- Online Store
- Financial Links
You are here
Identity theft briefing paper, popular searches.
- Controller Procedures
- Accounting & Finance
- Controller Training
- PSC Procedures
- PSC Training
CU System Departments
- Board of Regents
- Office of the President
- Office of Diversity, Equity, and Inclusion
- Budget & Finance
- University Controller
- CU Data Made Simple
- University Counsel
- Internal Audit
- Office of Ethics, Risk and Compliance (Incl. Title IX)
- University Risk Management
- Office of Policy and Efficiency (OPE)
- University Relations
- Office of Government Relations
- Outreach & Engagement
- Office of Advancement
- Office of Academic Affairs
- Faculty Senate | Faculty Council
- Faculty Senate Grievance Committee
- Coleman Institute for Cognitive Disabilities
- Colorado Learning and Teaching with Technology Conference (COLTT)
- President's Teaching Scholars Program
- Boettcher Webb-Waring Biomedical Research Award
- Employee Services (HR, Benefits, Payroll, Learning)
- University Information Services (UIS)
- Office of Information Security
- Procurement Service Center
- System Staff Council
- University of Colorado Staff Council
Identity theft (also known as identity fraud or true name fraud) is one of today’s fastest growing crimes. While it might appear that the true victims of this crime are the merchants and lenders who extend credit to the thief in another person’s name, they are not alone – all consumers pay higher prices to offset these fraud losses, while the victims whose identities are stolen suffer greatly because of the loss of their good name.
What is Identity Theft?
The basic goal of the identity thief is to steal personal information sufficient to impersonate a victim, so as to obtain credit cards, loans, and other items of value in the victim’s name rather than their own name. In many cases, it is a crime of opportunity – a wallet is stolen, information is picked up by chance, a statement is delivered to an unattended mailbox, or someone’s social security number is posted on the Internet. In other cases, the thief purposely pursues people who are in the news – minor celebrities, award-winners, athletes, accident victims, etc. – to mine the available publicity and data for identifying information.
What Information Is Needed To Steal An Identity?
Surprisingly little information is needed to impersonate a victim. The magic keys to a person’s identity are their name and Social Security Number. So many databases in our society are keyed to this number that once obtained, it is virtually trivial to pass oneself off as the victim. However, an accumulation of other information can serve equally well – current or previous address, birth date, telephone number, biographical information, occupation, employer… Once identifying information is acquired, it is straightforward to apply for loans and credit cards, make purchases, obtain additional information and credit reports, change addresses on existing accounts, open and close accounts, apply for new drivers licenses and other identification, obtain passwords – the list goes on and on.
What Are The Potential Consequences of Identity Theft?
Identity theft has always been used by crooks as a tool to commit other forms of fraud and embezzlement, but has been given a real boost by the widespread use of the Internet. Thieves apply for, and often receive, multiple credit cards, personal loans, automobile loans, checking accounts, and other accounts in the name of the victim. They run these accounts up to the maximum, and then fail to make payments. This is particularly easy to do very quickly over the Internet, given its automated nature and the inability to physically verify an applicant’s identity. These fraudulent accounts can total hundreds of thousands of dollars. Once they are past due, collectors harass the unsuspecting victim for payment. At best, the victim is inconvenienced by these collection efforts; at worst, their entire quality of life is irretrievably destroyed – and they usually must go through an extended, costly, and painful process to restore their good name.
Protecting Consumers’ Identity – For Businesses
Perhaps the most important step a business can take to prevent identity theft is to not use the Social Security number as its customer identification number. Other steps include ensuring that this number does not appear on any reports released to the public or to employees at large, educating employees on the importance of keeping personal information about themselves and customers private, verifying the identity of callers claiming to be customers, and scrubbing personally identifiable information from their web site.
Protecting Your Identity – For Consumers There are several very useful web sites listed below that outline the steps you should take to protect your identity from thieves, as well as what to do to recover from this alarming crime. In general, preventive steps include not giving out personal information unless it is absolutely necessary to complete a transaction, protecting your wallet or purse from theft, shredding sensitive personal and financial documents, and periodically reviewing your credit report to catch suspicious activity. Recovery steps include contacting credit reporting agencies to put a fraud alert on your credit file, filing crime reports with law enforcement agencies, contacting the security departments of merchants listing unauthorized accounts, and, most of all, remaining persistent.
- The US Government’s central identity theft information site, maintained by the Federal Trade Commission
- US Department of Justice’s site – a good range of resources
- Privacy Rights Clearinghouse – substantial repository of white papers, resources, and links to other useful sites on this topic as well as privacy in general
1800 Grant Street, Suite 600 | Denver, CO 80203 | Campus Box 25 UCA Main: 303-837-2183 | Administrative Assistant: 303-837-2131 | Fax: 303-837-2188
1800 Grant Street, Suite 800 | Denver, CO 80203 General: (303) 860-5600 | Fax: (303) 860-5610 | Media: (303) 860-5626 © Regents of the University of Colorado | Privacy Policy | Terms of Service |
To revisit this article, visit My Profile, then View saved stories .
- What Is Cinema?
- Newsletters
Identity Theft Is a “Kafkaesque” Nightmare. AI Makes It Way Worse.
By Nick Bilton
This is the story of William Woods. No, not the fake William Woods. The real William Woods. It’s a story that traverses more than three decades, zigzagging from a hot dog stand to a jail with a stop at a mental institution and ending with—well, you.
It all began 36 years ago in the sun-drenched streets of Albuquerque, where William Woods was working at a hot dog stand, serving office workers and city dwellers. On an otherwise unremarkable day, his coworker—a large man with dark hair named Matthew Keirans —stole Woods’s wallet. With it, Keirans pilfered not just Woods’s Social Security number but eventually his entire identity. The theft was the seed of an existential usurpation and the beginning of a Kafkaesque nightmare for William Woods. That’s because Keirans had decided to become William Woods to escape his own troubled past. By 1990, Keirans had used the Social Security number to obtain a Colorado ID in Woods’s name; he then opened a bank account (also in Woods’s name) and wrote some checks that later bounced, according to court documents.
This is where reality broke in two. Keirans decided he would straighten out his life, and after stops in Idaho and Oregon, marriage and the birth of a son, he settled in Wisconsin. Within a year, he got a job working in IT for the University of Iowa Hospitals and Clinics, where he made more than $100,00 a year. He bought a house and two cars, and lived a version of the American dream—albeit a slightly different one. He lived all of it as William Woods.
Meanwhile, about 2,000 miles away, the real William Woods’s life was on a very different track. He ended up homeless, living on the unforgiving streets of Los Angeles, doing odd jobs and selling scraps of metal to get by. After almost three decades, he finally discovered what had happened: that Keirans had stolen his identity and was living as him. Woods learned that Keirans maintained deposits at a national bank with a branch in Los Angeles, and had used Woods’s name, Social Security number, and date of birth to accumulate eight loans from credit unions totaling more than $200,000, according to the US Attorney’s Office in the Northern District of Iowa. Seeking to reclaim his identity and not wanting to pay the debt, Woods explained to a branch manager that he was actually William Woods and demanded that the accounts opened in his name be closed. But when the manager called the number on file, Keirans answered and said that the man standing in the bank branch was actually Matthew Keirans, who had stolen his identity, and that the bank should call the police. When the cops showed up, they arrested Woods and held him without bail at the Los Angeles County Jail. The charge: identity theft and false impersonation, both felonies. In other words, he was charged with saying he was William Woods.
Throughout the legal proceedings, Woods maintained that he was William Woods, not Matthew Keirans. But the Los Angeles judge didn’t believe him, and sent Woods to jail for 428 days. When he finally got out and was brought before the judge again, Woods still refused to declare that he was Matthew Keirans; the judge declared him mentally unfit for trial and sent him to a California mental hospital where he was treated with psychotropic drugs and other therapies, and held for 147 days, stuck in the limbo of the psych ward, his reality dismissed as delusion, according to court records. Woods was finally allowed to leave the hospital on one condition: that he plead no contest and admit that he was Matthew Keirans.
In January 2023, Woods found out where Keirans worked and contacted security at the University of Iowa Hospitals and Clinics, which forwarded his concerns to the University of Iowa police. Ian Mallory, a UI police detective, appeared to be the first to believe Woods. He pulled Woods’s birth certificate, then gave his father a DNA test, and then tested Woods, finally proving that William Woods was who he said he was. When Mallory approached Keirans with the irrefutable evidence, he knew it was game over. “My life is over,” he later said, according to court records. Keirans pleaded guilty and was convicted on one count of making a false statement to a National Credit Union Administration insured institution to obtain a loan, and one count of aggravated identity theft. He now faces up to 32 years in prison, a fine that could reach $1.25 million, and five years of supervised release following any imprisonment, according to the US Attorney’s Office in Iowa’s Northern District.
By Dan Adler
By Kase Wickman
By Bess Levin
The story of William Woods, real and manipulated, unfolds as a stark reminder of the dangers posed by identity theft, even without employing today's rapidly evolving technology. The advent of advanced AI and deepfake technology has introduced a new kind of threat. An individual’s appearance and voice can be cloned with disturbing accuracy, leading to scenarios in which people are deceived into making financial transactions or disclosing sensitive information.
“Identity theft is getting easier, thanks to technology. It used to be that someone would misuse your credit card or open a fake loan. In the Woods case, his entire life was taken over. That gets easier when AI can generate a huge amount of realistic false documents,” Lou Steinberg, the founder and managing partner of CTM Insights, a cybersecurity research lab, told me, noting that this will only become more prevalent with deepfake technology. “In the Woods case, the fraudster could fool people who didn't know the real victim. In the future, he could have a phone call, Zoom, or FaceTime chat with people who do know the victim and fool those people too.”
There are already numerous stories of AI and deepfake technology being used to steal people’s identity and to perpetrate crimes with the theft of someone’s likeness and, in some instances, entire identity. Earlier this year, a finance worker at a multinational bank was conned into transferring $25 million to criminals during a video conference call, where deepfake technology was used to impersonate the company’s chief financial officer and other staff members. The worker who made the transfer believed the people he was talking to were his coworkers, because they looked and sounded like them. There’s the story of a mom in Georgia getting ready to send hackers $50,000 in ransom money when she was led to believe her daughter had been kidnapped (the hackers stole her daughter’s voice from social media and mimicked it), or the Chinese exchange student who was so frightened by an AI hoax that he ran away from his host family’s home and took his own ransom photos that were used to extort money from his family in China, or the San Francisco couple who believed their son was lying in a pool of blood under a car after being in a terrible accident and forked over $15,500 to a lawyer , who was actually a scammer.
The intersection of Woods’s harrowing personal ordeal under supposedly normal circumstances and the ease with which identities can now be appropriated via technology illuminates a daunting future. Steinberg, the founder of CTM Insights, thinks that we’re about to move past “identity theft”—essentially what Woods experienced on a terrifying longitudinal scale—to an era of “identity hijacking” in which bad actors not only take over your name and claim hold of your history but also use re-creations of your voice, make new images of you, and become a virtual version of you that is indistinguishable from the real you. All, of course, without your authorization.
Just last week, a principal at a Maryland high school was put on leave after a 42-second audio clip surfaced online of him deriding Black students, calling them “ungrateful” and saying that they would be unable to “test their way out of a paper bag.” It was later revealed that the audio was artificially created using AI tools by a disgruntled former athletic director at the school. The athletic director was arrested at Baltimore/Washington International Thurgood Marshall Airport, and faces charges that include stalking, disruption of school operations, and retaliation against a witness, as reported by WBAL TV in Baltimore. The tools used to create the fake AI clip were easily accessible online. Hany Farid, a computer science professor at the University of California, Berkeley, who consulted with police on the case, told The Washington Post that the audio recording had been created using just a few seconds of the principal’s voice.
So, how do we stop this from happening to all of us? The Federal Trade Commission reported recently that it received fraud reports from 2.6 million Americans in 2023, the same as in the previous year, with investment and impostor scams topping the list. Losses from fraud totaled $10 billion. Ben Colman, cofounder and CEO of Reality Defender, which builds deepfake detection software, says the onus should be on the institutions, like banks and schools and government, to ensure we’re not defrauded in the future. “Deepfakes are so convincing that every member of our team—including several with PhDs—have undoubtedly fallen for one at one point. The only way to stop AI is with AI,” Colman said. “The institutions we trust—the same institutions that are at risk of being defrauded—have the responsibility of separating real from fake.”
Clearly, the institutions not only failed Woods, but they were the same institutions that were responsible for throwing him in jail and subsequently a mental hospital. Lucky for Woods, another more old-school technology—DNA—eventually set him free. His case was finally vacated last month by Los Angeles County Superior Court Judge William C. Ryan, who said at the hearing that what happened to Woods was truly astounding. “The word that comes to mind is Kafkaesque,” Ryan said. “Out of the novels of Franz Kafka.” Woods told the Los Angeles Times , “I’m happy, because I knew I was innocent.”
More Great Stories From Vanity Fair
Live Updates From the 2024 Cannes Film Festival
Cover Star Chris Hemsworth on Fear, Love, and Escaping Hollywood
Everything to Know About the Worm That Allegedly Crawled Inside RFK Jr.’s Brain and Died
Meet the Mastermind Behind New York’s Celebrity Playground of Choice
The Vatican’s Secret Role in the Science of IVF
Griffin Dunne on the Tragic Death That Reshaped His Family
Visit the VF Shop and Get Our Brand-New Tote (and Much More)
Nick Bilton
Special correspondent.
By Joy Press
By Savannah Walsh
By Julie Miller
When to sign up for an identity protection service
- How to choose an identity theft protection service
- What are the signs of a good identity theft protection service?
Red flags in identity theft protection services
- Frequently asked questions
How to get identity theft protection
Affiliate links for the products on this page are from partners that compensate us and terms apply to offers listed (see our advertiser disclosure with our list of partners for more details). However, our opinions are our own. See how we rate products and services to help you make smart decisions with your money.
- While anyone can benefit from identity protection, prior victims are especially at risk of identity theft.
- Choose identity theft protection services that offer preventive measures and recovery features.
- You can protect your own identity by requesting free weekly credit reports from the credit bureaus.
According to a study from Javelin Strategy & Research , 40 million consumers in the United States experienced identity theft in 2021, with about $52 million stolen.
With the threat of fraud looming, it's important to find ways to reduce the risk of identity theft . While you can take small steps to limit the amount of your personal information that's publicly available, you can also sign up for an identity theft protection service. These services will protect your identity with cybersecurity measures, monitor your identity for signs of fraud, and help you recover your identity if it's stolen.
Choosing the best identity theft protection service for your needs can be a daunting but necessary task. Here's how to get identity protection and what to look for in an identity protection service.
Just by existing in today's day and age, you hold some sort of valuable information.
"Anyone who has something in cyberspace worth taking should consider identity theft protection, and everyone should think of what's 'worth taking' expansively," says Kurt Sanger, a cybersecurity expert at Batten Safe and the former deputy general counsel for US Cyber Command.
While bank accounts, credit cards, and other obvious targets are important to protect, you should also be cognizant of parts of your identity that aren't as clearly monetizable. "Stealing passwords to withdraw money has tangible results, but an impostor's use of someone's cyber persona to post or send messages can impact personal and professional reputations," Sanger says.
While everyone can benefit from extra layers of identity protection, certain people are at a higher risk. If you've ever been the victim of identity theft in the past, you're far more likely to be targeted than someone who hasn't. If you have children, an identity theft protection service with a family plan, like IdentityIQ , or additional features to prevent child identity theft can be useful.
There are numerous factors that go into choosing an identity service. One of the big factors is cost. Michael Scheumack, a security expert and chief innovation officer of IdentityIQ, recommends looking for discounts or deals if you set up autopay or pay annually instead of monthly. In some cases, you might even be able to sign up for a low-cost or free trial and test out the service for yourself.
The amount of protection you need can vary depending on how much you have to protect. If you're a likely target of identity theft due to your job or assets, then you might want to consider something more substantial (and much more expensive) that offers bespoke services, explains Sanger. Otherwise, you might want more basic — though still robust — protection.
With that in mind, here's what you need to know when comparing identity theft protection services.
Signs of a good identity theft protection service
What you need from an identity theft protection service will vary based on your assets and needs, but the basics are relatively uniform. Here are the factors to consider when choosing an identity theft protection service.
Clear, comprehensive services: You want to know what the company will do, how it will help you, and how quickly you'll find out if something goes wrong. Dr. Rebecca Morris, founder of the online magazine "Safe Not Scammed" and a cybersecurity educator with a PhD in logic, computation, and methodology, recommends choosing a service that monitors the following services:
- Social Security number
- Court records
- Sex offender registries
- The dark web
"Ensure the plan provides timely alerts and notifications regarding possible suspicious activity," adds Scheumack.
Responds in real-time: Just like you want immediate alerts, you also want an actual person available if one of those alerts is problematic. "Real-time responses by actual representatives — not preprogrammed responses or chatbot — is a great sign because that's what you'll want if you suspect your identity has been stolen," Sanger says. Ideally, you'll have an expert who is specifically dedicated to your case, as opposed to a general hotline for your questions.
Offers prevention tools: Identity theft protection services often highlight what they'll do to alert or help you if there's an incident, but what about stopping it in the first place? "The goal of identity theft prevention is to avoid the need for restoration support, so understanding prevention tools is critical," says Sanger. At the very least, they should give you guidance on securing your assets and internet presence — though actionable steps are even better.
Monitors all three major credit bureaus: Three main credit bureaus are responsible for keeping a record of your credit history and documenting any changes, but they don't alert you to those changes. "Some companies only monitor one credit bureau in real-time," says Scheumack. "Fraud may not show up on all of your credit reports right away, so an option that monitors all three of the major bureaus can be essential."
If you're regularly checking your credit reports , skipping this will make your identity theft protection cheaper, explains Morris. However, without immediate alerts, the information could go unnoticed for extended periods of time.
There's no clear outline of solutions: The last thing you want from the company you're paying for identity theft protection is a lot of talking in circles. You'll want to look for concrete information on services within the fine print of a company's website, looking for details on support in the case of identity theft and costs.
"Are the explanations clear? What do you do first, and who do you contact first if you suspect an incident? Will the service pay in advance to help restore your identity or reimburse you after you have paid? Can coverage extend to family or other household members," Sanger says. If it doesn't answer these questions, then it's time to look elsewhere.
They're unreachable: The last thing you want to do when dealing with a stolen identity is wait on hold for three hours listening to jazz music — or worse, have to wait for an email response. As Sanger explains, if you struggle to get in touch with the company from the get-go, it's not going to be any better when you really need the company's help.
Your service only monitors one credit bureau: If you're really checking your credit reports regularly, then you can ignore this. But getting real-time alerts that someone has taken a loan in your name or signed up for a credit card can help you stop identity theft in its tracks. Similarly, you want to be getting these notifications.
The company has few or mostly negative reviews: You don't want to be the guinea pig for an identity theft protection service or spend lots of money only to find out that they're widely hated. Take the time to look at the reviews (and that there's a good amount) before signing up, says Morris. Look out for services with a slew of reviews instead.
Getting identity theft protection frequently asked questions
Of companies listed in our guide on the best identity theft protection services, IdentityForce UltraSecure is rated the highest, with comprehensive cybersecurity measures, family plans, and tri-bureau monitoring. See how we rate identity theft protection services here.
Monthly prices among our choices for the best identity theft protection services range between $8.99 to $29.99.
Consumers can access a free credit report every week from each of the three credit bureaus. You can also find some free identity theft resources among the services included our guide on the best credit monitoring services .
Editorial Note: Any opinions, analyses, reviews, or recommendations expressed in this article are the author’s alone, and have not been reviewed, approved, or otherwise endorsed by any card issuer. Read our editorial standards .
Please note: While the offers mentioned above are accurate at the time of publication, they're subject to change at any time and may have changed, or may no longer be available.
**Enrollment required.
- Main content
- TOP STORIES
- Area police
Local/Region
- Community Notebook
- National News
- International News
- Local Sports
- For the record
- New York Sports
- National Sports
- People’s column
- Retrospective
- The OBSERVER’s View
- Community News
- Sunday Lifestyles
- Senior News
- Local entertainment news
- Engagements
- Anniversaries
- Achievement
- Classifieds
- Garage Sales
- Statement of Values
- Terms of Service
- Submit News
- Place a notice
- Browse notices
- Today's Paper
Silver Creek Senior Citizens hear about fraud, identity theft
SILVER CREEK – The Silver Creek Seniors met on Tuesday, May 7 with 24 members and guests present. President Janice Snyder opened the meeting with the Pledge to the flag and all singing God Bless America. Guests Brenda and Vicki were welcomed. Chaplain Pauline Flitt read “Daily Prayer for Strength” and gave a blessing to the members, and the lunch of tacos and desserts.
The 50-50 raffle winners were Joan Militello, Joan Suski and Pauline. Door prizes were won by Jeanne Blakely, Don Hoeber and Max Church. Lucky card holders for the wheel were: Lorrie Newman (twice), Max, Janice Snyder, Harry Suski and Vicki. Lorrie called bingo and winners were: Al Wilson, Don Hoeber, Brenda (twice), Judy Hahn, Pauline (twice), Janice, Enabell Mirando, Annette Hoeber and Jan Polisoto.
Following Bingo, Jennifer Jones and her two associates from the local M&T Bank spoke on fraud and identity theft, which was very informative and well received by the group.
Next Tuesday’s lunch will be potluck. The club meets every Tuesday at 1 p.m. at 1823 Lake Road, Silver Creek and is open to the senior public. Anyone wishing information about the meetings, please call 716-934-2170.
Today's breaking news and more in your inbox
- Daily Newsletter
- Breaking News
Colorful display
SILVER CREEK – The Silver Creek Seniors met on Tuesday, May 7 with 24 members and guests present. President ...
SUNY Student wins Sigma Xi second place award for research
Youth bureau seeks youth council representatives for state.
The Chautauqua County Youth Bureau is seeking young people aged 13 to 21 to represent their county on the New York ...
County Sales Tax Revenue Dips In First Quarter
Purina delivers $25,000 in grants to area nonprofits
Starting at $2.99/week., subscribe today.
Ebury Botnet Operators Diversify with Financial and Crypto Theft
Kevin Poireault
Reporter , Infosecurity Magazine
- Follow @Kpoireault
- Connect on LinkedIn
Ebury, one of the most advanced server-side malware campaigns, has been active for 15 years but its use by threat actors is still growing, according to cybersecurity firm ESET.
A new report published on May 14 by ESET Research showed that operators of the Ebury malware and botnet were more active than ever in 2023.
Over the years, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD and OpenBSD servers. More than 100,000 were still compromised as of late 2023.
Long known to deploy spam, web traffic redirections and credential stealing, the Ebury group recently added credit card compromise and cryptocurrency theft in its techniques, tactics and procedures (TTPs).
What is the Ebury Botnet?
Ebury is a malicious group that has been active since at least 2009. It has developed an OpenSSH backdoor and a credential stealer used to deploy multiple malware strains simultaneously by relying on a bot network (botnet).
The group’s primary targets are hosting providers.
The Ebury botnet is used to compromise Linux, FreeBSD and OpenBSD servers in order to deploy web traffic redirection modules, proxy traffic for spam or perform adversary-in-the-middle attacks (AitM).
In 2014, ESET published a white paper about Operation Windigo, a malicious campaign using multiple malware families working in combination with the Ebury malware family at its core.
Following the release of the Windigo paper, Russian national Maxim Senakh, one of the Ebury operators, was arrested at the Finland-Russia border in 2015, and later extradited to the US.
In 2017, he was sentenced to 46 months in prison in the US for his role in running the Ebury botnet. ESET assisted the FBI in the operation and testified during the trial.
In late 2021, the Dutch National High Tech Crime Unit (NHTCU), part of the Netherlands national police, contacted ESET after they had found Ebury on the server of a victim of cryptocurrency theft.
“Those suspicions turned out to be well-founded and with NHTCU's assistance, ESET Research has gained considerable visibility into operations run by the Ebury threat actors,” the new ESET report indicated.
Marc-Etienne M. Léveillé, the ESET researcher who investigated Ebury for more than a decade, commented: “We have documented cases […] where the Ebury actors were able to compromise thousands of servers at once. There is no geographical boundary to Ebury; there are servers compromised with Ebury in almost all countries in the world. Whenever a hosting provider was compromised, it led to a vast number of compromised servers in the same data centers.
“At the same time, no verticals appear more targeted than others. Victims include universities, small and large enterprises, internet service providers, cryptocurrency traders, Tor exit nodes, shared hosting providers and dedicated server providers, to name a few.”
Ebury’s New Favorite Targets: Bitcoin and Ethereum Nodes
Despite the arrest, the Ebury group has continued running malicious campaigns, at least until late 2023.
The ESET report describes new methods used to propagate Ebury to new servers that appeared after 2021.
From its access to its target’s infrastructure, usually a hosting provider, the Ebury group can deploy several types of attacks.
In one of the most recent ones, the group uses an AitM attack to intercept SSH traffic of attractive targets inside data centers and redirect it to a server used to capture credentials.
The malicious actors leverage existing Ebury-compromised servers in the same network segment as their target to perform Address Resolution Protocol (ARP) spoofing. Among the targets are Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the targeted server once the victim types the password to log into it.
ESET has observed that this method was used to target over 200 targets across over 75 networks in 34 countries between February 2022 and May 2023.
This example not only illustrates one of Ebury’s latest attack techniques, but also one of the group’s newest vectors of monetization: cryptocurrency theft.
Additionally, the Ebury malware family itself has also been updated.
The new major version update, 1.8, first seen in late 2023, included new obfuscation techniques, a new domain generation algorithm (DGA) and improvements in the userland rootkit used by Ebury to hide itself from system administrators. When active, the process, the file, the socket and even the mapped memory are hidden.
2023, a Record-Breaking Year for Ebury
These shifts in the Ebury group’s infection and monetization methods seem to be bearing fruit, as the group’s activity significantly increased in 2023 compared to 2021.
“The perpetrators keep track of the systems they compromised, and we used that data to draw a timeline of the number of new servers added to the botnet each month,” the ESET researchers wrote.
August 2023 saw record-breaking activity from the group, with over 6000 compromised servers recorded that month.
Combined, about 400,000 servers have been compromised by Ebury since 2009, and more than 100,000 were still compromised as of late 2023.
You may also like
Bugat malware adds gameover functionality, infosecurity weekly brief - may 12th 2009, operation liberpy targets latin america with keylogging malware, malware takedowns show progress, but fight against cybercrime not over, second half of 2023 threat landscape dominated by ai and android spyware, what’s hot on infosecurity magazine.
- Editor's Choice
Microsoft Fixes Three Zero-Days in May Patch Tuesday
China presents defining challenge to global cybersecurity, says gchq, hackers use dns tunneling to scan and track victims, uk insurance and ncsc join forces to fight ransomware payments, ai-powered russian network pushes fake political news, rsac: cisa launches vulnrichment program to address nvd challenges, rsac: how cisos should protect themselves against indictments, rsac: three strategies to boost open-source security, kaseya ciso on preparing effectively for the next cyber incident, rsac: why cybersecurity professionals have a duty to secure ai, why ddos simulation testing is critical for proactive network defense, supply chain cybersecurity: how to mitigate third-party risks, is mfa enough strategies for next-level identity security in 2024, disinformation defense: protecting businesses from the new wave of ai-powered cyber threats, adapting to tomorrow's threat landscape: ai's role in cybersecurity and security operations in 2024, how to secure remote connectivity within operational technology environments, women in cybersecurity at infosecurity europe 2024, lockbit leader aka lockbitsupp identity revealed, how to proactively remediate rising web application threats, learn from the nhs - proactive password security for improved cybersecurity, live roundtable event: secure enterprise browsing, new ways to strengthen endpoint security.
IMAGES
VIDEO
COMMENTS
The opportunity structure for identity theft. Earlier research on perpetrators of identity theft, using a conceptual framework informed by Cornish and Clarke's Rational Choice Theory and the methodology of crime script analysis, has focused on the motivations and methods of committing identity frauds (see Copes & Vieraitis, 2009, 2012) and ...
The current paper draws on lifestyle-routine activity theory (L-RAT; Cohen and ... were associated with greater victimization. However, existing identity theft research is limited by study designs that have been unable to determine whether reported protective behaviors were enacted as a general precautionary measure (prior to) or in response to ...
theft and express their attitudes. The researcher attempted to identify the behaviors and. demographics that individuals engaged in identity theft prevention. Besides, (Holt and Turner, 2012 ...
The current body of research suggests that identity theft victimization has a disproportionate negative impact on older adults and low-income people, but no studies have specifically examined the correlates of financial and psychological consequences among older victims. Using combined data on victims from the 2014 and 2016 NCVS-ITS, we ...
The United States Department of Justice and the Bureau of Justice Statistics have commissioned and co-operated on regular studies on identity theft, e.g. [3,4,5,6,7], and the various private consultancy firms, e.g. [8, 9], have studied identity theft issues in the recent years as well.The availability of public data on identity theft is much more limited in Europe.
The research found that identity theft generally involves three stages: acquisition of the identity information, the thief's use of the information for personal gain to the detriment of the victim of identity theft, and discovery of the identity theft. Evidence indicates that the longer it takes to discover the theft, the greater the loss ...
Identity theft was once again the most prevalent data breach type. It accounted for approximately 83% of the accounts breached in H1 2018, a massive growth of 757% over the previous year. ... Five major streams of research inform our work in this paper: (1) technology adoption model (TAM), (2) consumer privacy paradox, (3) service failure, (4 ...
Identity-related crimes refer to the use of someone else's identity in the perpetration of a crime (Chryssikos 2007). Identity fraud involves the use of a false identity for personal gains such as benets, services, or money. Identity theft, as described by the.
means of collecting identity theft data for research in academia Mancilla and Moczygemba (2009); Betz-Hamilton (2020); Anderson et al (2008). ... paper articles 1995-2005. Deviant Behavior 31(2):184-207 Newman GR, McNally MM (2005) Identity theft literature review. United States Depart-
Mi04 Mitchison, N. et al., 'Identity Theft -A Discussion Paper', Technical Report EUR 21098 EN, European Commission -Joint Research Center, 2004. Recommended publications Discover more about ...
Abstract. Identity theft is a serious crime growing rapidly due to the ever-tighter integration of technology into people's lives. The psychological and financial loss to individual victims is devastating, and its costs to society at large staggering. In order to better understand the problem and to combat the crime more effectively, a ...
Research Design and Methods: Identity theft measures come from a sample of more than 2,000 self-reported victims aged 65 and older from the nationally representative National Crime Victimization Survey Identity Theft Supplements administered in 2014 and 2016. Regression was used to examine how socioeconomic status, demographic characteristics,
The focus of this paper is on understanding prevention efforts, particularly the technological approaches, to combating identity-based crimes. ... whether by computer, tablet, or, increasingly, cell phone. Identity theft research has helped to provide needed information on the characteristics of victims (Golladay & Holtfreter, 2017; Holtfreter ...
reports of identity theft has increased over the study time period. From 2000 to 2001, identity theft jumped from 112 to 230 - a 105% increase. Over the same time period, credit card fraud increased 43%, motor vehicle theft increased 13%, robbery remained. stable, and check fraud decreased 32%.
what we know about identity theft and what might be done to further the research base of identity theft. Until the federal Identity Theft and Assumption Deterrence Act of 1998, there was no accepted definition of identity theft. This statute defined identity theft very broadly and made it much easier for prosecutors to conduct their cases.
Phishing attacks can lead to severe losses for its victims including sensitive information, identity theft, companies, and government secrets. ... Research on social media-based phishing, Voice Phishing, and SMS Phishing is sparse and these emerging threats are predicted to be significantly increased over the next years. 3. Laws and ...
Cybercrime - Identity Theft. Identify theft is a major challenge for societies of the digital age. In this essay, reflection. is given to the nature of identity theft and its scope, from the ...
For 76% of identity-theft victims in 2021, the most recent incident involved the misuse of only one type of existing account, such as a credit card or bank account. About 59% of identity-theft victims had financial losses of $1 or more that totaled $16.4 billion in 2021. In 2021, about 2% of persons age 16 or older experienced the misuse of an ...
The next, results, followed by general discussion and research implications. Finally, the paper concludes with limitations and future research directions. 2. The state of information technology (IT) in the banking sector of Ghana ... Perceived online identity theft (POIT) positively predict online security and privacy concern (SEPCON) regarding ...
Crime Victimization Survey indicates an average loss of $1,290 to victims of identity. theft (Bureau of Justice Statistics 2006). Moreover, victims of identity theft experience a great deal of emotional distress, including feelings of anger, helplessness and mistrust, disturbed sleeping patterns, and a.
It identifies key stakeholders and analyzes the impact of technology, including the widespread use of the internet, on identity theft. The term "identity theft", as used in this Working Paper series, refers broadly to the combination of unauthorized collection and fraudulent use of someone else's personal information.
The Researcher through this present Research Paper has made a humble attempt to highlight the growing menace of identity theft in India and has also brought ... According to recent research, identity theft is a common crime that affects both adults and children. The most obvious reason for this practise is that underage children do not understand
Identity Theft Briefing Paper. Identity theft (also known as identity fraud or true name fraud) is one of today's fastest growing crimes. While it might appear that the true victims of this crime are the merchants and lenders who extend credit to the thief in another person's name, they are not alone - all consumers pay higher prices to ...
Phishing. Phishing emails may be one of the internet's oldest scams, but phishing still forms the basis for many identity theft attacks. More than a fifth (21 per cent) of British identity theft ...
Identity Theft Is a "Kafkaesque" Nightmare. AI Makes It Way Worse. From hyperrealistic deepfakes to voice cloning, fraudsters are upping the threat level, potentially heralding, as one expert ...
topic for today's hearing: Research of first impression on the impact of identity crimes in Black communities; and, a discussion paper on the challenges to verifying a person is who they claim to be in a time when key points of personal information has been compromised for most adults in the never-ending series of data breaches.
• Harm from identity theft crimes involves individuals and businesses. The extent of harm done to the victims and to society at large is unknown. [1] Better Business Bureau, "New Research Shows That Identity Theft Is More Prevalent Offline With Paper Than Online," Exit Notice Press release, January 26, 2005. Defining Identity Theft
Choose identity theft protection services that offer preventive measures and recovery features. You can protect your own identity by requesting free weekly credit reports from the credit bureaus ...
Colorful display Silver Creek Senior Citizens hear about fraud, identity theft. SILVER CREEK - The Silver Creek Seniors met on Tuesday, May 7 with 24 members and guests present.
Source: ESET Research. Combined, about 400,000 servers have been compromised by Ebury since 2009, and more than 100,000 were still compromised as of late 2023. The 15-year-old Ebury botnet is more active than ever, as ESET found 400,000 Linux servers compromised for cryptocurrency theft and financial gain.