When it comes to assessing your risk of identity theft and fraud, being digitally compromised in a major, headline-news-style data breach is not your only threat.
Media stories focus on huge data breaches such as the Equifax data loss in 2017 which compromised more than 140 million Americans’ personal data. In fact, data theft reached record levels in 2017, with over 1,500 reported incidents of hacking that exposed around 180 million records.
Not All ID Theft is Digital: What is Analog Identity Theft?
It may be surprising, then, to hear - according to a 2017 report from the University of Texas at Austin's Center for Identity - that slightly more than half of personally identifying information theft events were non-digital in nature. Meaning “they didn't involve — or at least, didn't start with — the thief exploiting some cyber vulnerability.”
Such non-digital - or “analog” - identity thefts encompass a variety of activities that might include data retrieved from a stolen laptop, a lost wallet, or mail stolen from the mailbox or trash. It also includes "insider theft" (committed by family members or caretakers – e.g. “friendly fraud”) or by employees at companies where a victim does business who exploited their access to paper or digital records.
The Center for Identity analysis used data from more than 5,000 identity theft and fraud cases in their study.
Analog Data Theft is Serious
Despite the widespread level of analog data theft, experts say non-digital incidents of ID theft and fraud don’t receive the degree of attention they should, in part because consumers are overwhelmed by the threat of the big-name hacks they hear about in the news.
However, to the victim, it doesn't matter if you're the only person affected in a theft or one of tens-of-millions victimized in a mass data theft - the experience is the same regardless of how your personal data was initially obtained by the thief.
At the Center for Identity Theft, they often hear people musing about just how much damage can an old-school analog identity thief do?
The answer is – more than most people imagine, as can be seen when reading the below real-world stories.
Identity Theft Anecdotes
The subject victim’s best guess as to how her information was compromised came in a letter a few years ago from her bank. They told her that “A bank employee had sent account and profile details for her and her husband to a third party.”
But the first sign of problems didn't pop up until almost a year later when she began receiving a lot of extra mail. Specifically, from credit card issuers. The letters mostly were denials of credit for in-store credit cards applied for in her or her husband's name. Then a few actual credit cards were issued, followed by large bills.
"Whoever it was charged more than $20,000," said the poor ID theft victim, who spoke last year at a Federal Trade Commission conference about her ordeal. "They had the Christmas shopping season of their lives."
The thieves, having found early success with the identity data, began to pursue monetary gains in earnest. In 2017, they filed a change-of-address form with the post office. When the victim finally received notification of the change, her family's mail was already being forwarded to a new, undisclosed address — allowing the fraudsters to get their hands on some seriously valuable data, including bank statements and tax documents.
She filed a police report and engaged in a war with the thieves: She got her mail back, only to discover another attempt to change their address. At the same time, someone accessed the family's tax records with the IRS. Hours on the phone resolved all the fraudulent charges and new credit card accounts, and most of the family's legitimate creditors were willing to waive late fees and interest on bills that were late during the period when their mail was redirected. After notifying the IRS of the situation, they were issued unique PIN numbers to use when filing future tax returns.
The fraudsters were never caught, and our victim still doesn't know the full scope of the data compromised. A particular concern: That the perpetrators now have her children's data as well, with a long game in mind.
The First Clue: Missing Mail
For another victim, missing mail was the red flag.
Last summer, while reading through posts made by her neighbors on a neighborhood-based social networking site (Nextdoor.com) about missing mail in their community, she began to sense something was wrong. When she went to retrieve her mail, she noticed some of the units in the mailbox bank were ajar.
Soon after, she discovered that several of her Amazon packages had disappeared, and the thief had made off with a prepaid debit card loaded with more than $8,000 worth of short-term disability payments. Then her husband received a TJMaxx store credit card in the mail, which someone else had filled out a preapproved offer for in his name.
Assessing what other mail might have gone missing was taxing, and resolving the known losses took weeks, she said.
In the end, she escaped with minimal financial loss — she was able to have the prepaid card reissued and the funds reinstated, and the missing online purchases refunded or resent. Her community association replaced the mailboxes and keys, which seems to have stopped the thief.
Here's how to manage your risks for non-digital, analog methods of identity theft and fraud:
Safeguard Your Information
It's remarkably easy for thieves to find a lower-paid employee at say, a doctor's office or retail chain who is willing to sell customer information for cash, according to Sean McClesky from the Center for Identity.
Businesses aren’t often set-up to deal with the fact that they collect a significant amounts of sensitive personal information. More importantly, they are not trained in how to store it properly, McClesky says. According to the most recent study conducted by the Center for Identity report, in 10 percent of cases, the individual responsible for the action that led to the theft of personal data was an employee, and in 9 percent of cases, it was a medical service provider.
Consumers need to use the power of the pocketbook to influence companies to better manage how they treat personal information. This can start with pushing back against a business when they ask for intrusive personal data. Consumers need to be cautious about what information they give out. Just because the doctor's office asks for your Social Security number, doesn't mean you are required to provide it.
"It's amazing to me that we'll be so guarded with very interesting things we have, but we'll hand over our identity information on the spot," McCleskey said.
We are All Guilty of Being Careless
A lot of [analog theft] results from bad habits and a lack of attention by individuals towards their own personal data. We all have information we really should be protecting, but most of us make it too readily available for the casual thief to take advantage of.
Even trusted people like family members, friends and coworkers can be identity thieves. According to a 2018 Javelin Strategy & Research report, an estimated 60 percent of child victims, and 7 percent of adult victims, personally knew the perpetrator.