Identity theft is not a single trick. It is a category of work, with old methods that still pay off, newer scams that move at the speed of a text message, and breaches that hand criminals millions of records at once. Understanding how thieves actually operate makes it easier to spot the warning signs before your information ends up on a buyer's list.
Below are the most common methods in use today, with real case types that show how they play out, and what you can do to keep your credit reports and accounts protected.
Identity theft is not a fringe risk. Not even close.
According to the FTC's 2024 Consumer Sentinel Data Book, the agency received an astounding 1,135,270 identity theft reports in 2024, a 9.5 percent increase over 2023. Credit card fraud led the category at 449,076 reports, followed by loan or lease fraud and bank account theft.
That volume is not random. And it should make us all uneasy.
That’s because it reflects a steady mix of high-tech and low-tech methods that thieves cycle through depending on what is working that month. The scammers are playing the hot hand, to say it another way.
Let’s go over a number of ways identity theft cons play out.
Phishing is the email version of a con. A message arrives that looks like it is from your bank, a delivery company, or a tax agency, and tries to get you to click a link or attachment.
The goal is to get you to type credentials into a fake login page, or to install software that quietly captures everything you type next.
Real example: in recent IRS impersonation campaigns flagged by the FTC, scammers sent emails about a "tax refund recalculation" with a link to a spoofed IRS portal that harvested Social Security numbers and bank login details.
What gives phishing away is usually the urgency, the misspelled sender domain, and the request for information the real organization already has.
Smishing is phishing by text, and it has exploded since 2024. We’re going to assume if you have a cell phone, you’ve noticed this trend.
The most notable example is the wave of fake toll messages that hit drivers across the country. Some of us are getting toll payment messages from states we’ve never been to. Its frustrating and bewildering all in one. But it's also scary.
Real example: starting in early 2024, the FBI's Internet Crime Complaint Center received over 2,000 complaints about fraudulent toll collection texts in just three states in a single month. The texts claim you have an unpaid toll from a state turnpike or tolling authority and link to a lookalike payment page that captures card and personal details. The FTC and multiple state attorneys general have issued public warnings.
If you get one of these messages, do not click the link. Open your toll agency's website directly to check your balance, then forward the suspicious text to 7726 (SPAM) and report it at reportfraud.ftc.gov.
Sometimes a thief never has to interact with you at all. Breaches at companies that hold consumer data have become routine, and the records on offer often include the exact fields a fraudster needs.
Real examples from 2024:
After breaches like these, security researchers have noted that effectively all U.S. Social Security numbers should be considered exposed. That is the practical reason credit monitoring and credit freezes have become standard advice.
Old methods have not disappeared. Stolen mail still gives thieves account statements, pre-approved credit offers, tax forms, and checks. A single intercepted statement can be enough to open a fraudulent account.
The U.S. Postal Inspection Service has flagged a sustained rise in mail theft tied to identity fraud, including theft of "arrow keys" used to access cluster mailboxes.
Shredding documents that contain account numbers, routing numbers, or full names with addresses is still one of the cheapest forms of identity theft prevention you can do.
Skimmers are devices placed over real card readers at gas pumps, ATMs, and point-of-sale terminals. They quietly copy your card data while you complete a normal purchase. Newer "shimmers" target chip cards and are even harder to spot.
Public Wi-Fi adds a different angle. On an open network, attackers can intercept logins and account details if you are not on a secure connection. Treat any free Wi-Fi at airports, coffee shops, or hotels as untrusted, and avoid logging into financial accounts from those networks.
Two methods worth knowing about, even if they get less press than phishing and smishing.
In a SIM swap, a thief convinces your wireless carrier to move your phone number onto a SIM card they control. Once your number is theirs, any text-based two-factor authentication code goes to them, including the codes that protect your bank, email, and brokerage accounts. They typically pull off the social engineering by combining stolen personal details from past breaches with a confident phone call to customer support. The FCC tracks SIM swap fraud as a fast-growing category. Two defenses help: set a separate PIN or passcode on your carrier account, and use an authenticator app instead of SMS for two-factor authentication wherever possible.
Medical identity theft happens when someone uses your personal or insurance information to get treatment, prescriptions, or insurance benefits in your name. Beyond the financial cost, fraudulent treatments can end up in your medical file, which can affect future care and insurance decisions. The 2024 Change Healthcare breach made this risk concrete, since records for an estimated 192 million people were exposed. The FTC recommends reviewing every Explanation of Benefits statement from your insurer and requesting an annual list of services billed in your name from each provider, then disputing anything unfamiliar.
No single step makes you immune, but a layered approach drastically narrows what a thief can do with your information.
If something on your credit report looks wrong, move fast.
Common signs include unfamiliar accounts on your credit reports, unexpected drops in your credit score, debt collection calls for accounts you do not recognize, and denial letters for credit you never applied for. Reviewing your three credit reports regularly is the most reliable way to catch these signals early.
No. A credit freeze blocks most new credit accounts from being opened in your name, which addresses one of the most damaging forms of identity theft. It does not stop fraud on existing accounts, tax-related identity theft, or medical identity theft, which is why monitoring still matters.
Contact one of the three bureaus to place a fraud alert, then file a report at IdentityTheft.gov. Use the FTC report and your credit reports to dispute fraudulent items with each bureau in writing. ScoreSense members can use the Dispute Center for step-by-step instructions tied to each bureau's process.
Almost always. Tolling agencies do not typically collect payment by unsolicited text with a link. The FTC, FBI, and multiple state turnpike authorities have warned the public to ignore these messages and report them.
It can. Fraudulent accounts, missed payments on accounts opened in your name, and high balances on stolen credit lines can all affect your credit scores. Catching the activity early and disputing it through the credit bureaus helps limit the impact on your credit profile.