"Integrity means not having your identity violated" (Erich Fromm)

    Identity theft is a big problem.  Using the year 2007 as a baseline, the Federal Trade Commission (FTC) estimated that over 8 million Americans had been victimized by some form of identity theft.  Identity theft became a crime in 1998 when Congress passed the Identity Theft and Assumption Deterrence Act (ITADA) which amended US Code: Title 18,1028A to specify additional prison time for any underlying crime (usually fraud) involving the identity documentation of another person.  State penalties exist and vary widely.  One of the hardest-hit states, California, took the lead by enacting "mandatory data breach laws" which require businesses and corporations who have experienced a security breach to report it to all customers. 

    In point of fact, more businesses than individuals incur financial losses (about $15 billion per year) than individuals from these kinds of crimes.  That's because a variety of laws exist to protect individuals from many of the financial losses they would normally incur from identity theft.  For example, in cases of credit card fraud, the victim is usually only accountable for $50 of the fraudulent charges (in some cases, zero accountability, as banks in recent years have rushed to jump on the bandwagon to quickly remove fraudulent charges from a customer's debit or credit card).  In other cases, significant out-of-pocket expenses and inconveniences are incurred by individuals (ranging from $50 to $5000), but the average individual victim incurs little to no out-of-pocket expenses in about 50% of cases.  The most current victimization data are maintained by the FTC at their FTC Identity Theft Site.  Numbers fluctuate from year to year, making it hard to get any good, solid, criminological information on the size of this particular form of identity theft.  In general, it is known, however, the sooner a victim discovers they are victimized, the smaller the losses.  Yet, most consumers don't realize their identity has been stolen until months (sometimes years) after the event happened. 

    Criminologists have only recently turned their attention toward this kind of crime, and scholarly study has been caught up in trying to get a handle on all its varieties.  For that reason, more typologies (attempts at classification) than theories (of causation) exist.  The most commonly used definition is provided by Schmalleger & Pittaro (2009:225) as: "the act of obtaining unique personal information and then using that information to impersonate one or more victims, in one or more locations, across a time period spanning hours to years."  Key elements include theft of the Social Security Number (SSN), date of birth, and address.


    There are three general ways identity theft occurs, and each way involves a number of seemingly unrelated activities:

    Common techniques used in identity theft include: dumpster diving; shoulder surfing; spamming; and phishing.  Dumpster divers go thru trash in order to retrieve copies of checks, credit card and bank statements, and other records.  Shoulder surfers look over victims' shoulders as they enter personal information into phones, computers, and ATMs.  Spammers send unsolicited e-mails advertising a product, service, or get-rich-quick scheme, and phishers send e-mails claiming there is a problem with one of the victim's existing accounts.  An identity thief only needs to obtain a small amount of personal information (like a number, password, or pin) because the rest can easily be obtained from any one of the many public record websites or a fee-based information broker.  Sometimes, the identity thief poses as an employer, loan officer, or landlord to obtain whatever additional information they need.  Some of the easy-to-find personal information on the Internet include:

A Close-Up Look at Phishing

     Phishing is the use of phony websites and emails disguised as reputable enterprises in order to obtain the information of unsuspecting recipients for the purpose of committing financial fraud. Phishing has become an increasing problem costing billions of dollars for both businesses and individuals. Only about 25% of phishing crimes originate in the U.S. and the rest are spread throughout the world.  A widely used means of phishing involves the transmission of hundreds of phony emails to recipients in which social engineering is also used for the purpose of compelling individuals to disclose personal and/or financial information. Also known as the dragnet scheme, this type of phishing will either manipulate recipients to disclose information or will redirect them to false links and websites that appear to be authentic but aren't. Dragnet phishing usually compels quick action by using alarming messages that creates immediate response on the part of victims and usually results in criminal activity that is also swift. The Rod and Reel phishing scam targets its victims and occurs at a slower pace. When the victims targeted are high income people ($100,000 and up), this is also known as spear phishing. The Lobsterpot scheme involves the creation of fake websites that resemble authentic sites. Phishers lay in wait for unsuspecting visitors at such sites, and work hard to make real looking logos of familiar businesses. Phishers can also superimpose fake web pages over authentic sites. Popular sites like EBay, PayPal, and Sony are often duplicated or replicated and used for criminal activity. This counterfeit site technique is quite sophisticated, and typically uses authentification and security methods like SSL. Phishing toolkits are generally available for purchase by anyone, and not only provide templates for beginners to get started, but contain advanced features which help facilitate the capture of transmitted information.

    Other ways to commit identity theft exist.  For example, with Social Security-number (SSN)-only theft, often the offender has no intent of stealing anybody's good credit. They simply want the number so they can work and establish their own line of credit in their own name.  According to the Identity Theft Resource Center, the crime can be sub-divided into five major categories:

(1) Business/Commercial Identity Theft
(2) Criminal Identity Theft
(3) Financial Identity Theft
(4) Identity Cloning
(5) Medical Identity Theft

    Cases of Identity Cloning may involve the attack of payment systems such as online credit card processing and medical insurance systems, but far more common is the impersonation of another individual for non-financial reasons. For instance, someone might want someone else's identity to receive praise or even attention for the latter's achievements. This is referred to as identity theft in the media.


    The reaction to identity theft is similar to the reaction from violent crime.  Many victims experience a sense of embarrassment so severe as to avoid reporting the problem to the police.  Many other victims give up because they think it would take too long (or be too difficult) to fix the problem.  One of the more common complaints victims have is that they believe law enforcement could do more to help.  It is possible, with this crime, that the first theoretical breakthrough will come via a criminal justice theory of victimization (Allison et. al 2005).

    In terms of a criminological theory of causation, the problem is that so many different motives exist.  Identity theft may include crimes involved with illegal immigration, terrorism, espionage and blackmail.  Thieves may acquire personal information about victims in the course of a robbery, burglary, or purse snatching.  Prostitutes may go thru their customer's belongings while the customer is otherwise engaged.  In addition, sales personnel in stores are well positioned to obtain a customer's personal information.  Further, there is the possibility of interception by mail of some personal information (like a credit card) before a customer even receives it. Counterfeiting also exists.  Crude, amateur attempts are easy to spot, but professional criminals can produce high-quality counterfeits using modern office equipment.

    In terms of motive, it is probably best to consider identity theft as a case of property crime.  That is to say the motive is most likely financial gain accompanied by a sense of thrill.  The most relevant criminological research is on the subjects of shoplifting, larceny-theft, and motor vehicle theft, which all suggest that offenders are primarily motivated by the opportunities for financial reward but also do so for the thrill of the experience (Vito et. al 2006).  Copes & Vieraitis (2008) also suggest that it is not just a combination of reward and risk which motivates offenders, but a rational (choice) decision and a matter of lifestyle.  Lifestyle theory in criminology (Sampson & Lauritsen 1990) is a version of rational choice theory which holds that factors such as opportunity, proximity, and demographics are important.  Offenders see opportunity in the way law enforcement is overwhelmed by the problem, and proximity (or propinquity -- getting close to or knowing the victim) provides the thrill, but far more important are the offender-victim links in terms of demographics.  Both victims and offenders tend to be young, ethnic, never married, live in big cities, lead an active (sometimes deviant) lifestyle, and use alcohol and/or drugs (it should be mentioned that rational choice theories are sometimes criticized for jumping down to the individual level a bit too quickly).


    There is much room for policy analysis and development when it comes to identity theft.  Besides the implications for new privacy laws, there is tendency for legislators to jump on the bandwagon of regulating/punishing businesses, corporations, and the information brokerage industry.  This is likely to be counterproductive, and likewise, there is little evidence that all the consumer awareness campaigns (e.g., videos, commercials, websites, posters, billboards) are effective.  Citizens seem to want less by way of reducing risk themselves and more by way of government protecting them.  However, the dilemma is that risk, in this instance (like with health and welfare policy) is most likely a shareable problem.  Hacker (2008), and others, have commented upon the so-called "great risk shift" by which market-oriented societies have an unfortunate tendency to offload institutional responsibilities upon individuals.  Holding individuals accountable for their own victimization while at the same time protecting them to the maximum extent possible will be one of the foremost policy dilemmas of the twenty-first century. 

How Internet Cookies Work
Identity Theft Resource Center
NIJ-Sponsored Research on Identity Theft
President's Task Force on Identity Theft
Privacy Rights Clearinghouse
U.S. DOJ Website on Identity Theft

Allison, S., Shuck, A. & Lersch, K. (2005). "Exploring the crime of identity theft: prevalence, clearance rates, and victim/offender characteristics."  Journal of Criminal Justice 33: 19-29.
Cleland, S. & Brodsky, I. (2011). Search and destroy: Why you can't trust Google, Inc. St. Louis: Telescope.
Copes, H. & Vieraitis, L. (2008). "Identity theft." In M. Tonry (ed.) Oxford Handbook on Crime and Public Policy. NY: Oxford Univ. Press.
Sampson, R. & Lauritsen, J. (1990). "Deviant lifestyles, proximity to crime, and the offender-victim link in personal violence." Journal of Research in Crime and Delinquency 27, 110-139.
Schmalleger. F. & Pittaro. M. (eds.) (2009). Crimes of the Internet. Saddle Brook, NJ: Pearson.
Slosarick, K. (2002). "Identity theft: An overview of the problem." The Justice Professional 15: 329-343.
Vito, G., Maahs, J. & Holmes, R. (2006). Criminology: Theory, research, and policy, 2e. Sudbury, MA: Jones & Bartlett.

Last updated: Oct. 04, 2011
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (2011). "Identity Theft," MegaLinks in Criminal Justice. Retrieved from accessed on Oct. 04, 2011.