- 53 percent of thefts of consumers' identity data are "non-digital," meaning they don't involve — or at least, don't start with — the thief exploiting some cyber vulnerability.
- That includes physical theft like a stolen laptop or mail, and insider theft, where family members and and employees at companies where you do business exploit their access.
- "Somebody, somewhere, has all this information," says identity theft victim Amy Wang. "We don't know when they're going to pull the trigger and use it."
Hackers aren't your only risk when it comes to identity theft and fraud.
Data breaches and hacks like those at Equifax, the IRS and Yahoo! tend to dominate the conversation — and no wonder. Breaches hit a record high in 2017, with 1,579 reported incidents exposing nearly 179 million records, according to the Identity Theft Resource Center, which helps consumers dealing with identity theft and fraud.
But in recent years, a little more than half of thefts of consumers' personally identifying information were classified as "non-digital," meaning they didn't involve — or at least, didn't start with — the thief exploiting some cyber vulnerability, according to a 2017 report from the University of Texas at Austin's Center for Identity.
"That's usually a surprise to people," said R. Sean McCleskey, director of organizational education and measurement at the Center for Identity. "It doesn't get the attention, to some degree, that cybercrimes get."
Analog thefts include say, data retrieved from a stolen laptop, lost wallet or pilfered mail. It also encompasses "insider theft" via family members and employees at companies where you do business, who exploited their access to paper or digital records.
The Center for Identity analysis used data from more than 5,000 identity theft and fraud cases occurring from 2000 through 2016. (Click on graphic to enlarge.)
Even among notable breaches, non-digital methods add up. For example, according to ITRC data, 4.5 percent of incidents last year involved physical theft, with almost 1.4 million records compromised across 71 breaches.
(And those are just the incidents large enough to trigger breach notification laws, said Eva Velasquez, chief executive and president of the ITRC. Actual rates are likely much higher.)
Despite that prevalence, experts say non-digital, analog incidents of identity theft and fraud often get lost in the conversation, in part because consumers are skeptical about the potential risk and impact compared to the looming threat of big-name hacks they hear about in the news.
"It doesn't matter if you're one of 10 affected in a theft or one of 1,000; the experience is the same," said Velasquez.
"We often hear, 'Oh, how much damage can they do?" she said.
Plenty, as Amy Wang can tell you.
The occupational therapist's best guess as to how her information was compromised came in a letter a few years ago from Wells Fargo: An employee had sent account and profile details for Wang and her husband to a third party.
But the first sign of problems didn't pop up until late 2016, when the Miami family started receiving a lot of extra mail. Specifically, from credit card issuers.
They were mostly denials of credit, for store cards applied for in her or her husband's name. Then a few actual cards, followed by bills. Big bills.
"Whoever it was charged more than $20,000," said Wang, who spoke last year at a Federal Trade Commission conference about her ordeal. "They had the Christmas shopping season of their lives."
She likened the onslaught of fraudulent charges and new accounts to the arcade game Whac-a-Mole, where a player must hit randomly appearing targets: "We'd get rid of one, and then more would come up."
The thieves upped their game in early 2017, filling out a change-of-address form with the post office. By the time Wang received notification of the change, her family's mail was already being forwarded to a new, undisclosed address — allowing the perpetrators to collect a treasure trove of valuable data, including bank statements and tax documents.
Wang filed a police report and engaged in a brief tug-of-war with the thieves: She got her mail back, only to receive another change-of-address attempt, which she diverted. And, meanwhile, someone attempted to access the family's tax records with the IRS.
Hours on the phone resolved all the fraudulent charges and new credit card accounts, and most of the family's legitimate creditors were willing to waive late fees and interest on bills that were late during the period when their mail was redirected. The IRS issued the family identity protecting PINs for future tax filings, and the Wang family froze their credit reports to curtail new credit applications.
But the thieves were never caught, and Wang still doesn't know the full scope of the data compromised. A particular concern: That the perpetrators now have her children's data as well, with a long game in mind.
"Is it resolved now? Well, yeah, for the moment," Wang said. "But somebody, somewhere, has all this information. We don't know when they're going to pull the trigger and use it."
For Andrea Woroch, missing mail was the red flag.
Last summer, the consumer advocate started seeing neighbors posting updates to neighborhood-based social networking site Nextdoor.com about missing mail in their Bakersfield, California, community. When Woroch went to retrieve her mail, she noticed some of the units in the mailbox bank were ajar.
Several Amazon packages disappeared, and the thief made off with a prepaid debit card loaded with more than $8,000 worth of short-term disability payments for Woroch's maternity leave, along with a birthday card her father sent containing $200 cash. Then her husband received a TJMaxx store credit card in the mail, which someone else had filled out a preapproved offer for in his name.
More from Personal Finance:
5 strategies to keep your dream wedding venue from blowing your budget
Hit the brakes before you take this step with your 401(k)
3 ways to get other people to pay off your student loan
Assessing what other mail might have gone missing was taxing, and resolving the known losses took weeks, she said.
In the end, Woroch escaped with minimal financial loss — she was able to have the prepaid card reissued and the funds reinstated, and the missing online purchases refunded or resent. Her community association replaced the mailboxes and keys, which seems to have stopped the thief.
"A $30 package, yeah, that's not great that someone stole it," she said. "But it pales in comparison to having your Social Security number or bank account info stolen."
Here's how to manage your risks for non-digital, analog methods of identity theft and fraud:
It's not terribly hard for thieves to find a lower-paid employee at say, a doctor's office or local retailer to make an offer of cash for customer info, said the Center for Identity's McCleskey, who is also a retired Secret Service agent.
Businesses don't always understand how much data they're collecting, or how to store it properly, he said. In the Center for Identity report, the perpetrator was an employee in 10 percent of cases, and a medical service provider in 9 percent of cases.
Consumers need to push back on businesses to store data properly, he said, and also be cautious about what information they give out. Just because the doctor's office asks for your Social Security number, doesn't mean you are required to provide it.
"It's amazing to me that we'll be so guarded with very interesting things we have, but we'll hand over our identity information on the spot," McCleskey said.
"A lot of [analog theft] is self-compromise," said ITRC's Velasquez. "You have information you really should be protecting, and you're making it available."
Think about the value of personal information that's easily accessible while you're on the move, or in spaces like your home or office. Even trusted people like family members, friends and coworkers can be identity thieves: A 2018 Javelin Strategy & Research report estimated 60 percent of child victims, and 7 percent of adult victims, personally knew the perpetrator.
"You wouldn't leave $1,000 on the counter, you'd hide that," McCleskey said. "$1,000 is not easily replaceable, I'll give you that, but if someone gets your identity and starts running around, that's much harder to repair."
- On the move: Don't routinely keep documents like your Social Security card or passport in your purse or wallet, Velasquez said. Password-protect devices you travel with, like your cellphone and laptop. And don't leave documents or devices in your car.
- At home: Don't leave sensitive mail or documents out in plain sight. Ideally, keep papers with sensitive financial information in a home safe or locked file cabinet, or a safety deposit box at the bank, said certified fraud examiner Peggy Tracy, owner of Priority Planning LLC in Wheaton, Illinois, who specializes in forensic accounting and divorce consultations. "Why tempt people by leaving things around the house?" she said.
- At the office: Take the same precautions with personal data at work as you would at home. In a 2015 CareerBuilder survey of office support staff, 10 percent had found items in the trash or around the office that could be compromising to the worker or company — with respondents' notable finds including personal tax returns and bank statements, passports and a list of employee salaries.
Go paperless as much as possible, Tracy said. Elect to receive payments via direct deposit, when you can, instead of by paper check or a physical prepaid card. Sign up to receive your bank and brokerage statements electronically, rather than by mail, and opt out of prescreened credit card and insurance offers.
"Paper documents can be stolen or manipulated," she said.
By that same measure, regularly clear your files of paper records you no longer need, like old credit card bills, income tax returns, and insurance explanation of benefits statements.
"The more paper you leave around, the easier it is for people to find it," Tracy said.
Run sensitive documents through a cross-cut shredder before you dispose of them, Tracy said. That includes not just financial statements, but anything that has personal information on it. (She goes so far as to pull the address labels off magazines.)
"People are still known to pick through trash," she said.
Keep tabs on what you're sending, as well as receiving.
A thief could easily build a good profile on you from a few pieces of mail, especially outgoing mail that might contain personal checks or signed documents, McCleskey said. Deposit outgoing mail in a secured box at the post office, rather than in your own mailbox or a mail collection box on the street (especially after the day's last collection).
"Thieves have contraptions that let them reach in and pull mail out," he said.
(Federal investigators are currently looking into a rash of such "mail fishing" thefts in New York and New Jersey.)
Investing in a locking mailbox or a post office box to protect incoming mail can be a good idea, too, said Velasquez — especially if your schedule is such that letters and packages could sit there for hours, you live on a busy street that gets a lot of foot traffic from tourists and shoppers, or you reside in a rural area where thieves can easily come and go unnoticed.
Do a background check on people and services who will have regular access to your home (home health aid, roommate), or who you're trusting with a wealth of financial information (broker or financial advisor), Tracy said.
"It's worth it to find out if there's a criminal history there," she said.