Skip to content
Sign In
All posts

How Identity Thieves Get Your Information (Real-World Examples)

Picture of ScoreSense By   ·  6 minute read

 

Identity theft is not a single trick. It is a category of work, with old methods that still pay off, newer scams that move at the speed of a text message, and breaches that hand criminals millions of records at once. Understanding how thieves actually operate makes it easier to spot the warning signs before your information ends up on a buyer's list.

Below are the most common methods in use today, with real case types that show how they play out, and what you can do to keep your credit reports and accounts protected.

 

Quick Breakdown

  • Identity thieves rely on phishing emails, smishing texts (like fake toll notices), mail theft, card skimmers, public Wi-Fi snooping, and large data breaches to collect personal information.
  • The FTC logged more than 1.1 million identity theft reports in 2024, with credit card fraud the most common type.
  • The 2024 National Public Data breach exposed roughly 170 million records, including Social Security numbers.
  • Fake toll text scams have triggered warnings from the FBI, FTC, and multiple state attorneys general.
  • Monitoring all three of your credit reports is one of the fastest ways to catch identity theft early.

 

How Common Is Identity Theft Right Now

Identity theft is not a fringe risk. Not even close.

According to the FTC's 2024 Consumer Sentinel Data Book, the agency received an astounding 1,135,270 identity theft reports in 2024, a 9.5 percent increase over 2023. Credit card fraud led the category at 449,076 reports, followed by loan or lease fraud and bank account theft.

That volume is not random. And it should make us all uneasy.

That’s because it reflects a steady mix of high-tech and low-tech methods that thieves cycle through depending on what is working that month. The scammers are playing the hot hand, to say it another way.

Let’s go over a number of ways identity theft cons play out.

 

Phishing Emails

Phishing is the email version of a con. A message arrives that looks like it is from your bank, a delivery company, or a tax agency, and tries to get you to click a link or attachment.

The goal is to get you to type credentials into a fake login page, or to install software that quietly captures everything you type next.

Real example: in recent IRS impersonation campaigns flagged by the FTC, scammers sent emails about a "tax refund recalculation" with a link to a spoofed IRS portal that harvested Social Security numbers and bank login details.

What gives phishing away is usually the urgency, the misspelled sender domain, and the request for information the real organization already has.

 

Smishing (Text Message Scams)

Smishing is phishing by text, and it has exploded since 2024. We’re going to assume if you have a cell phone, you’ve noticed this trend.

The most notable example is the wave of fake toll messages that hit drivers across the country. Some of us are getting toll payment messages from states we’ve never been to. Its frustrating and bewildering all in one. But it's also scary.

Real example: starting in early 2024, the FBI's Internet Crime Complaint Center received over 2,000 complaints about fraudulent toll collection texts in just three states in a single month. The texts claim you have an unpaid toll from a state turnpike or tolling authority and link to a lookalike payment page that captures card and personal details. The FTC and multiple state attorneys general have issued public warnings. 

 

Example of a smishing toll scam text message on an iPhone, showing a fake unpaid toll notice from a spoofed sender with a suspicious payment link.

 

If you get one of these messages, do not click the link. Open your toll agency's website directly to check your balance, then forward the suspicious text to 7726 (SPAM) and report it at reportfraud.ftc.gov.

 

Large-Scale Data Breaches

Sometimes a thief never has to interact with you at all. Breaches at companies that hold consumer data have become routine, and the records on offer often include the exact fields a fraudster needs.

Real examples from 2024:

  1. National Public Data, a background check broker, suffered a breach that exposed roughly 2.9 billion records and personal information for an estimated 170 million people, including Social Security numbers, addresses, and phone numbers.
  2. Change Healthcare, a payment processor used across the U.S. healthcare system, was breached by a ransomware group, affecting an estimated 192 million individuals.
  3. AT&T disclosed two breaches in 2024 affecting more than 110 million customers, including stolen call and text metadata.

After breaches like these, security researchers have noted that effectively all U.S. Social Security numbers should be considered exposed. That is the practical reason credit monitoring and credit freezes have become standard advice.

 

Mail Theft and Dumpster Diving

Old methods have not disappeared. Stolen mail still gives thieves account statements, pre-approved credit offers, tax forms, and checks. A single intercepted statement can be enough to open a fraudulent account.

The U.S. Postal Inspection Service has flagged a sustained rise in mail theft tied to identity fraud, including theft of "arrow keys" used to access cluster mailboxes.

Shredding documents that contain account numbers, routing numbers, or full names with addresses is still one of the cheapest forms of identity theft prevention you can do.

 

Card Skimmers and Public Wi-Fi

Skimmers are devices placed over real card readers at gas pumps, ATMs, and point-of-sale terminals. They quietly copy your card data while you complete a normal purchase. Newer "shimmers" target chip cards and are even harder to spot.

Public Wi-Fi adds a different angle. On an open network, attackers can intercept logins and account details if you are not on a secure connection. Treat any free Wi-Fi at airports, coffee shops, or hotels as untrusted, and avoid logging into financial accounts from those networks.

 

Less Common but Still Active Methods

Two methods worth knowing about, even if they get less press than phishing and smishing.

SIM Swap (Phone Account Hijacking)

In a SIM swap, a thief convinces your wireless carrier to move your phone number onto a SIM card they control. Once your number is theirs, any text-based two-factor authentication code goes to them, including the codes that protect your bank, email, and brokerage accounts. They typically pull off the social engineering by combining stolen personal details from past breaches with a confident phone call to customer support. The FCC tracks SIM swap fraud as a fast-growing category. Two defenses help: set a separate PIN or passcode on your carrier account, and use an authenticator app instead of SMS for two-factor authentication wherever possible.

Medical Identity Theft

Medical identity theft happens when someone uses your personal or insurance information to get treatment, prescriptions, or insurance benefits in your name. Beyond the financial cost, fraudulent treatments can end up in your medical file, which can affect future care and insurance decisions. The 2024 Change Healthcare breach made this risk concrete, since records for an estimated 192 million people were exposed. The FTC recommends reviewing every Explanation of Benefits statement from your insurer and requesting an annual list of services billed in your name from each provider, then disputing anything unfamiliar.

 

How to Protect Yourself

No single step makes you immune, but a layered approach drastically narrows what a thief can do with your information.

  1. Freeze your credit at all three bureaus. A freeze blocks new accounts from being opened in your name unless you lift it. The CFPB explains how to place one with each bureau, and ScoreSense members can use the Credit Freeze Center inside their account for direct links and instructions.
  2. Monitor your credit reports. ScoreSense pulls all three of your credit reports and your VantageScore, so you can see new accounts, balance changes, and inquiries across Experian, Equifax, and TransUnion. Daily credit monitoring through ScoreSense uses Experian data, which is enough to catch most early signs of fraud.
  3. Use unique passwords and multi-factor authentication. A password manager makes this practical.
  4. Verify before you click. If a text or email pressures you to act, go directly to the company's website or app instead of using the message's link.
  5. Add identity theft monitoring as an upgrade. ScoreSense members can add identity theft monitoring as an upgrade to their membership, which extends watchlists beyond credit files into areas like dark web monitoring and Social Security number tracking. The optional plan also includes $1 million in identity theft insurance underwritten by AIG.

 

What to Do If You Spot Identity Theft

If something on your credit report looks wrong, move fast.

  1. Place a fraud alert with one of the three credit bureaus. The bureau you contact is required to notify the other two.
  2. Report identity theft to credit bureaus and to the FTC at IdentityTheft.gov, which generates an official recovery plan and affidavit.
  3. Dispute any fraudulent items on your credit reports. ScoreSense members can use the Dispute Center to walk through filing disputes with Equifax, Experian, or TransUnion. ScoreSense provides step-by-step guidance for members to file disputes themselves, rather than filing on a member's behalf.
  4. Contact your bank or card issuer to close compromised accounts and reissue cards.
  5. Keep documenting. Save copies of letters, emails, and confirmation numbers as you work through cleanup. This evidence matters if the fraud reappears later.

 

FAQ

How do I know if my information has been stolen?

Common signs include unfamiliar accounts on your credit reports, unexpected drops in your credit score, debt collection calls for accounts you do not recognize, and denial letters for credit you never applied for. Reviewing your three credit reports regularly is the most reliable way to catch these signals early.

Does a credit freeze stop all identity theft?

No. A credit freeze blocks most new credit accounts from being opened in your name, which addresses one of the most damaging forms of identity theft. It does not stop fraud on existing accounts, tax-related identity theft, or medical identity theft, which is why monitoring still matters.

How do I report identity theft to credit bureaus?

Contact one of the three bureaus to place a fraud alert, then file a report at IdentityTheft.gov. Use the FTC report and your credit reports to dispute fraudulent items with each bureau in writing. ScoreSense members can use the Dispute Center for step-by-step instructions tied to each bureau's process.

Are toll text messages always a scam?

Almost always. Tolling agencies do not typically collect payment by unsolicited text with a link. The FTC, FBI, and multiple state turnpike authorities have warned the public to ignore these messages and report them.

Will identity theft hurt my credit score?

It can. Fraudulent accounts, missed payments on accounts opened in your name, and high balances on stolen credit lines can all affect your credit scores. Catching the activity early and disputing it through the credit bureaus helps limit the impact on your credit profile.