Identity theft victims: You might know the culprit

A spate of high-profile data breaches have brought worries about identity theft to a fever pitch. But consumers may be overlooking a risk that's much closer to home.

Concerns that your information could be compromised are justified. Through mid-July, there have been 424 data breaches compromising more than 129.6 million records, according to the Identity Theft Resource Center, affecting targets as varied as the Internal Revenue Service, the insurance company Anthem and, most recently, the adultery site Ashley Madison.

Last year, the center reports, the number of data breaches hit a record high of 783, up 27.5 percent from 2013. Javelin Strategy & Research estimated that fraud and identity theft damages that year (including but not limited to such breaches) totaled $16 billion and affected 12.7 million people.

Read MoreAshley Madison hacked; should users worry about blackmail?

Tracy, a health-care worker in Kentucky, is among those victims. The thief who stole her Social Security number opened several new cards in her name last year, racking up $1,500 in purchases and pushing one account past its credit limit. Another debt, owed to an online retailer, was sent to collections.

The catch? Tracy, who asked that her last name be withheld for privacy concerns, wasn't victimized by some nameless, faceless hacker.

Her husband was the culprit.

"He knew my birthday. He had my Social Security number. He even had a copy of my driver's license stored on his computer," said Tracy, who spotted the first fraudulent account after receiving a message from the bank about a missed payment. Her husband confessed to the fraud, and the couple has since divorced.

Though data breaches are by far the more common risk, so-called "familiar fraud" isn't that unusual: Last year, 550,000 fraud and identity theft victims reported that they had their information compromised by someone they knew, according to Javelin Strategy & Research data pulled for CNBC.com. (Tweet this)

And that number may be on the low side, factoring in consumers who aren't aware of the thief's identity as well as the often long lead time to discover familiar fraud and reluctance of victims to pursue charges.

"Most of the time when we think of identity theft, we think of a bad person behind a computer in a foreign country," said Robert P. Chappell Jr., author of "Child Identity Theft: What Every Parent Needs to Know." "That's not always the case." Familiar fraud cases trace back to family members as offenders, as well as friends, neighbors, coworkers and in-home employees.

Read More More reasons to be careful about what you leave on your desk at work

Cases ebb and swell, with more taking place during tough economic times, said Al Pascual, director of fraud and security at Javelin. In 2011, familiar fraud affected 0.64 percent of the population, versus 0.35 percent last year. "We think that this ties very closely to the economy," he said. "That's when scruples tend to be a little more malleable."

"The vast majority of these are opportunistic," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. The perpetrator already knows the victim's personal information or has easy access to it.

Unlike other kinds of fraud or identity theft, with familiar fraud there isn't always intent to harm. One family member, for example, may justify the fraudulent use of another family member's identity as a temporary necessity to fill a need that their own bad credit can't—say, getting vital medical care or setting up a new utility account to keep the heat on. "But then the heat turns into the cable, and then some other, more luxury item," said Chappell. "It becomes more and more of a stretch."

Children and young adults are common victims of familiar fraud. Students are four times as likely as the general public to encounter such fraud, according to Javelin's 2015 report. Another study by the firm in 2012 that focused on child identity theft estimated that in 27 percent of cases, the perpetrator was a family member or close friend of the family.

Read MoreAnthem victims' first hack symptom: Phishing scams

Family members may reason that their children benefit from the theft, if it means the lights stay on or groceries get purchased, said Eva Casey Velasquez, president and CEO of the Identity Theft Resource Center. "In some ways, they don't even really realize what they're doing is a crime," she said.

Thieves further out in the victim's social network find children appealing targets because the theft is likely to go unnoticed for years. (Foster kids are targets for similar reasons.) "Kids will sometimes find out about it when they're applying for college," said Velasquez—red flags might only appear when a family fills out the Free Application for Federal Student Aid, for example, or the young adult applies for a first credit card or student loan.

Axton Betz-Hamilton found out her identity had been compromised in 2001, when she was a college sophomore moving off campus. "I got a letter from the electric company saying, 'We need a $100 deposit for your service because of your credit score,'" she said. "I thought at 19 it was because I didn't have much of a credit score."

But when her requested credit report arrived, it listed 10 pages of credit card accounts and debts sent to collection, none of which were hers. They dated back to 1993.

It took Betz-Hamilton, now a child identity theft researcher and an assistant professor of consumer studies at Eastern Illinois University, until 2009 to clean up her report through a combination of good behavior, fraud disputes and simply waiting for negative items to fall off the report. In the meantime, she suffered the financial consequences of a 380 credit score. (For perspective, the prevalent FICO score ranges from 300 to 850, the higher the better, and the median U.S. FICO score was 713 as of October 2014.)

Read MoreDeciphering the fine print on your credit report

"There were people who had declared bankruptcy who had better credit scores than I did," she said. "My first credit card had a $300 limit, a $69 annual fee and a 29.9 percent interest rate. My first car loan had an 18.23 percent rate."

Only in 2013, shortly after her mother passed away, did Betz-Hamilton learn the source of her identity theft. Her father discovered statements and applications for the fraudulent accounts hidden among her mother's possessions. It became clear that not only had she stolen Betz-Hamilton's identity, but also that of Betz-Hamilton's father and grandfather.

"Once we figured this out, the grieving process stopped," she said. "I think we're going through some kind of trauma reaction."

Familiar fraud can cut deeper than other kinds of fraud or identity theft, both financially and emotionally. The average familiar fraud victim has out-of-pocket costs of $561 to fight the problem, compared with $79 for broader fraud cases in which a victim's existing credit card number is stolen, according to Javelin.

"The repercussions are substantially greater," said Pascual. "They can keep these kinds of frauds going longer." For example, a close culprit might know enough about you to sidestep lenders' security questions to open new accounts, and have access to intercept mailed account statements.

Read MoreThis can help prevent financial abuse of the elderly

Fighting familiar fraud is also rife with emotional and legal pitfalls. Filing a police report means a police investigation, and victims are often reluctant to get that loved one in trouble, Velasquez said. "They don't want to create drama in the family," she said. Or for themselves. Betz-Hamilton said that in her studies, she's found victims often don't get family support because the idea of a relative as identity thief seems unfathomable.

But failing to file a police report or cooperate with investigations limits victims' recourse. "The credit bureaus will say, 'We need a police report,' " said Chappell. "Where are you left at that point? You're left with damaged credit that you can't get clean." No report also means lenders are less likely to classify the debts as fraudulent—especially in the light of details common with familiar fraud such as statements being sent to the victim's correct mailing address, or a record of someone even occasionally paying the bill.

When a spouse is the culprit, proving your innocence is more difficult—even if you're ready and willing to file that police report. Jim, a California resident who works in information security, has been fighting since 2009 to clear more than $35,000 in credit card debts his then-wife racked up in his name on four credit cards.

"Their stance is, what's to say I'm not just claiming it's my spouse to avoid paying?" said Jim, who asked that his last name be withheld for privacy concerns. "You can argue until you're blue in the face. The credit companies don't want to hear it. Now it's in collections, and the collections companies don't really care, either."

The police were unwilling to pursue criminal charges, Jim said, because there's little beyond his word as evidence. "There's no way to prove it short of her admitting it, which she won't do," he said, and a civil suit is "money I don't have, and again, how am I going to prove it?"

Read MoreHow to avoid crowdfunding fraud

Tracy faced a similar uphill battle, even though her husband admitted to the theft. "I tried to go to the authorities, but they said they couldn't do anything because we were married at the time [of the theft]," she said. "They said it didn't matter that I hadn't known anything about my husband opening new accounts in my name."

To some extent, familiar fraud is more difficult to prevent than the myriad causes of data breaches. "You can't not have people who are close to you know certain personal details," said Pascual. Spouses and parents, at least, will certainly know your Social Security number, for example. Criminal and medical identity theft can also be perpetuated by a friend or family member who knows less sensitive details like your home address and birthdate, said Stephens of the Privacy Rights Clearinghouse.

Still, it's important to take steps to limit others' access—especially in living situations where a wider number of people have potential access, like in college dorms or assisted living facilities. "A lot of protection can come from just removing pertinent information from view," said Chappell.

Read MoreInvestor lessons from an alleged $1.5B Ponzi scheme

Even measures as simple as a locked drawer or safe can keep casual visitors from accessing sensitive documents unnoticed. Password protect computers and other devices or, better yet, use touch ID or facial recognition if available. Shred any documents you throw out.

"Paper breaches still happen," said Velasquez. "People still steal mail. They still go through your garbage."

When it comes to close relationships, like a spouse, trust but verify. "If you're in a relationship and you share finances, even if you don't like handling the finances, you need to look at those documents and understand what's going on," said Betz-Hamilton. Take regular fraud precautions such as monitoring your accounts and pulling your credit reports to review.

Jim agrees: "Had I been watching my credit report, I would have seen it all."

A more controversial question: Do you monitor a child's credit report? The experts are divided.

"Theoretically, there should be no credit report," said Velasquez. "It should not exist." Unwarranted parental checking could muddy the waters because it essentially creates a report, she said. (Although, 22 states allow parents to freeze credit reports for minors, according to the National Conference of State Legislatures, including Illinois, Maryland, New York, Oregon and Texas.)

Read MoreHow much do you really need in emergency savings?

But Chappell and Stephens say parents should be checking, especially if there have been warning signs like a minor child receiving credit card applications in the mail. "That's a red flag that a parent should immediately be going to the three credit reporting agencies," said Stephens.

Regardless, it's not an easy process, with the three credit bureaus requiring mailed forms and other documentation such as copies of the child's birth certificate and a parent's driver's license. If you decide to go that route, said Chappell, request a manual search of the child's Social Security number. Thieves stealing a child's identity will often cobble together a SSN with a different name or birthdate, and those so-called synthetic IDs don't always show up in general searches.

Awareness of the potential for familiar fraud can go a long way. "The reality is, you don't know other people's situations," said Velasquez. "Maybe you don't know them as well as you think."