Identity Protection Glossary of Terms

The identity protection sector operates with a specialized vocabulary drawn from consumer protection law, credit reporting regulation, cybersecurity standards, and fraud investigation practice. This page defines the core terms used across identity theft types and definitions, remediation workflows, and regulatory frameworks governing how individuals and institutions respond to identity compromise. Precise terminology matters because misapplied terms — such as confusing a fraud alert with a credit freeze — produce materially different legal and procedural outcomes.

Definition and scope

Identity protection terminology encompasses three overlapping domains: consumer credit and financial fraud, cybersecurity and authentication, and legal and regulatory procedure. The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) anchors much of the consumer-facing vocabulary, defining terms such as "consumer report," "consumer reporting agency," and "fraud alert" with statutory precision. The FTC's Identity Theft Program rules under 16 C.F.R. Part 603 establish definitional standards for "identity theft" as a regulatory category distinct from general fraud.

At the cybersecurity layer, NIST's Special Publication 800-63-3 defines identity assurance levels (IAL), authenticator assurance levels (AAL), and federation assurance levels (FAL) — a three-tier classification framework that governs how strongly an individual's identity must be verified before system access is granted.

The scope of terms covered here extends from individual-facing protective mechanisms (credit freezes, fraud alerts, identity monitoring) through institutional frameworks (breach notification obligations, affidavit procedures, FCRA dispute rights) to threat-vector terminology (synthetic identity fraud, account takeover fraud, SIM swapping).

How it works

Terms in the identity protection sector are organized around a detection–containment–recovery model, consistent with the FTC's IdentityTheft.gov recovery framework. Each phase carries its own vocabulary cluster:

  1. Detection terms — describe mechanisms that surface unauthorized activity before or shortly after it occurs.
  2. Credit monitoring: Continuous surveillance of a consumer's credit file for new inquiries, account openings, or derogatory marks.
  3. Dark web monitoring: Automated scanning of known dark web marketplaces and data dumps for a consumer's credentials or personal identifiers. See dark web monitoring explained.

  4. Breach notification: Legally mandated disclosure by an entity whose systems were compromised, required under 48 state breach notification statutes catalogued by the National Conference of State Legislatures.

  5. Containment terms — describe legal and procedural mechanisms that limit ongoing damage.

  6. Credit freeze (security freeze): A restriction placed on a consumer's credit file at each of the 3 major credit bureaus (Equifax, Experian, TransUnion), preventing new credit from being issued without the consumer's explicit lift. Governed by FCRA § 605A. See how to place a credit freeze.
  7. Fraud alert (initial): A 1-year notice added to a consumer's credit file requiring creditors to take reasonable steps to verify identity before extending credit. Governed by FCRA § 605A(a).
  8. Extended fraud alert: A 7-year fraud alert available to confirmed identity theft victims who file an FTC Identity Theft Report. Governed by FCRA § 605A(b). See extended fraud alert eligibility.

  9. Active duty alert: A 1-year fraud alert available to military personnel on active duty, governed by FCRA § 605A(c) and detailed further at identity protection for military personnel.

  10. Recovery terms — describe processes used to restore a victim's financial, legal, and credit standing.

  11. Identity Theft Report: An FTC-generated document combining a completed Identity Theft Affidavit with a complaint filed at IdentityTheft.gov. This document carries legal weight under the FCRA and is required to invoke extended fraud alert rights and certain dispute protections.
  12. Identity Theft Affidavit: A sworn statement describing fraudulent accounts or charges, filed with creditors and credit bureaus. See identity theft affidavit.
  13. Dispute: A formal challenge to inaccurate information on a consumer credit report, governed by FCRA § 611. See disputing fraudulent accounts.
  14. Identity restoration: The multi-step process of correcting records across financial institutions, government agencies, and credit bureaus following confirmed identity theft. See identity restoration process.

Common scenarios

Term usage varies by the type of identity crime encountered. The following classification illustrates how vocabulary shifts across four major fraud categories:

Financial identity theft primarily activates FCRA vocabulary — fraud alerts, credit freezes, dispute rights, and the Identity Theft Report process. The term "new account fraud" describes the opening of credit lines using a victim's stolen credentials; "account takeover" describes unauthorized access to existing accounts.

Medical identity theft introduces a distinct vocabulary layer governed by HIPAA (45 C.F.R. Parts 160 and 164). Key terms include "Amendment Request" (a patient's right to correct a medical record under HIPAA § 164.526) and "Accounting of Disclosures" (the right to know who accessed a medical record under § 164.528).

Synthetic identity fraud involves the creation of fictitious identities using a blend of real and fabricated personal data — typically combining a legitimate Social Security number with a fabricated name and date of birth. The Federal Reserve's FedPayments Improvement resources distinguish synthetic fraud from true-name fraud, a classification boundary with significant implications for detection methodology.

Tax identity theft operates under IRS vocabulary: "Identity Protection PIN" (IP PIN) is a 6-digit number issued by the IRS that must be included on a tax return before it is accepted, preventing fraudulent filings. The IRS Identity Protection Specialized Unit handles these cases under its Identity Theft Central program.

Decision boundaries

Applying identity protection terminology correctly requires understanding where definitional boundaries are drawn between similar terms:

Credit freeze vs. fraud alert: A credit freeze blocks new credit issuance entirely and remains in place indefinitely until lifted. A fraud alert does not block credit issuance — it adds a verification step. Under FCRA § 605A, only confirmed identity theft victims or active duty military qualify for extended or active duty alerts; any consumer may place an initial fraud alert without documentation. The practical and procedural distinctions are detailed at credit freeze vs. fraud alert.

Identity theft vs. identity fraud: In statutory language, "identity theft" refers to the unauthorized acquisition and use of another person's identifying information (defined under 18 U.S.C. § 1028). "Identity fraud" is sometimes used interchangeably but may refer more narrowly to the fraudulent use of identity in a specific transaction. Regulatory agencies — including the FTC and FBI — do not maintain a uniform distinction, making context-specific interpretation necessary.

Phishing vs. social engineering: Phishing describes a specific attack vector using deceptive electronic communications to extract credentials or personal information. Social engineering is the broader category encompassing phishing, vishing (voice phishing), smishing (SMS phishing), pretexting, and impersonation — all techniques used to manipulate individuals into disclosing protected information.

Personal information vs. sensitive personal information: The FTC Act and state privacy laws (notably CCPA under Cal. Civ. Code § 1798.140) distinguish between general personal information (name, address) and sensitive categories (Social Security numbers, biometric data, health data) that trigger heightened protection obligations. See personal information at risk and biometric data protection for the full classification taxonomy.

References

📜 6 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator