Identity fraud cost Americans a total of about $56 billion last year, with about 49 million consumers falling victim.
That's according to the 2021 Identity Fraud Study by Javelin Strategy & Research released Tuesday. About $13 billion in losses were due to what Javelin calls "traditional identity fraud," where cybercriminals steal personally identifiable information and use it for their own gains, such as through data breaches.
But the bulk of the losses last year, $43 billion, stemmed from identity theft scams where criminals interact directly with consumers to steal their information through methods such as robocalls and phishing emails. Victims of these scams lost $1,100 on average, according to Javelin.
"Identity fraud has evolved and now reflects the lengths criminals will take to directly target consumers in order to steal their personally identifiable information," says John Buzzard, a lead fraud and security analyst with Javelin Strategy & Research.
Because the Covid-19 pandemic changed the way people shopped and transferred money, many criminals targeted digital wallet and peer-to-peer payment methods such as Apple Pay and Zelle. About 18 million victims fell prey to scams through these digital payment methods last year, Javelin found.
"The culture of fraud is clearly shifting. The pandemic has created so many more points of vulnerability for families and businesses," says Paige Schaffer, CEO of global identity and cyber protection services at Generali Global Assistance.
Here are three common red flags to watch for when it comes to identity theft scams and how to handle them.
Spoofing technology has made it easier than ever for scammers to impersonate anyone, from government agencies like the IRS to your favorite retailer. In order to protect yourself, most experts recommend that consumers avoid picking up any calls from unfamiliar phone numbers. Instead, let them roll into voicemail for further scrutiny.
If you do get a message that you think is legitimately from a government agency, call or email them back through contact information listed on their website. Don't reply directly.
If you answer a call, keep in mind that U.S. government agencies won't ask you to pay for information or services upfront. Additionally, government agencies typically won't call, text, email or contact you on social media to ask for your Social Security, bank account or credit card number. If you receive messages asking for this information, it's likely a scam.
Another big tipoff that a call or message is from a scammer is if they say that they need sensitive information right away. It's usually a red flag if something needs to be done immediately or if there are threats that you'll lose money if immediate action is not taken.
But don't allow yourself to be rushed into buying anything or giving away any information. "Take a breather," recommends Ron Schlecht, managing partner at cybersecurity firm BTB Security.
And make sure you stay up-to-date on the latest scam tactics and data breaches. The FTC keeps on top of the fraud trends and issues consumer alerts about what they find. You can sign up for email updates or visit the FTC's coronavirus scam page.
Many identity theft scams are done by fraudsters who have obtained log-in information from data breaches that have occurred within the past few years.
That's why it's important to regularly check your passwords to see if they've been compromised. Google offers a free password checkup tool that shows you which accounts have vulnerable or compromised passwords. Additionally, sites like HaveIBeenPwned.com can help uncover if your email has been involved in a data breach.
Regularly updating passwords can help shut down unauthorized access to your accounts, says James Lee, chief operating officer of the Identity Theft Resource Center.
"It's inconvenient. It's a pain, but you've got to do it," Lee says. And don't just use a new password across the board. Lee recommends creating a unique pass phrase on every account, such as the name of a song or a book title. "It's easy to remember," he says.
The longer and more complex you can make it, the more secure your password is. A scammer using encryption tools to hack their way in your account can probably figure out a six-character password that only uses letters in a matter of seconds, Lee says. But it will take decades to crack a 12-character pass phrase that uses letters and numbers.
Even if you're using a secure pass phrase as your log in, Lee also recommends enabling two-factor authentication on your accounts if it's available. This generally requires you to not only enter a password, but also confirm your identity by logging onto your phone or entering a code texted or emailed to you.