Identity Theft Statistics: US National Data

Identity theft is one of the most consistently reported consumer crimes in the United States, affecting millions of individuals across every demographic and income level each year. This page presents the primary statistical record of US identity theft — drawn from federal agency reports, consumer complaint data, and financial crime surveillance systems — to establish the measurable scope of the problem. These figures inform policy decisions, service-sector resource allocation, and individual risk assessments. Understanding the scale and distribution of identity theft incidents is foundational to navigating the identity theft types and definitions that structure modern fraud prevention frameworks.

Definition and scope

Identity theft, as defined by the Federal Trade Commission (FTC) under 16 C.F.R. Part 603, occurs when someone unlawfully obtains and uses another person's identifying information — such as a Social Security number, date of birth, or financial account credentials — for deceptive or fraudulent purposes.

The FTC's Consumer Sentinel Network is the primary national database for tracking identity theft complaints. According to the FTC Consumer Sentinel Network Data Book 2023, identity theft was the top complaint category, accounting for 1,036,834 reports out of approximately 5.4 million total consumer complaints filed that year. This represents a long-running pattern: identity theft has ranked as the top or second-ranked complaint category in the Consumer Sentinel database for more than two decades.

The FBI Internet Crime Complaint Center (IC3) separately tracks identity theft and related fraud through its annual Internet Crime Report. The IC3 recorded over $10.3 billion in total cybercrime losses in 2023, with identity-enabled fraud schemes — including business email compromise and credential theft — representing a substantial portion of that aggregate.

The statistical scope of identity theft extends beyond individual consumers. Synthetic identity fraud, which blends real and fabricated identifying data, is estimated by the Federal Reserve to be the fastest-growing financial crime in the United States (Federal Reserve, Synthetic Identity Fraud), affecting financial institutions through new account origination channels rather than individual victims in the traditional sense.

How it works

Identity theft incidents are not uniform events. They follow identifiable patterns tied to the method of data acquisition, the type of information targeted, and the fraud category ultimately executed. The FTC's Consumer Sentinel data classifies identity theft into discrete subtypes that allow statistical tracking across complaint populations.

The five most frequently reported identity theft categories in the FTC's 2023 data are:

  1. Credit card fraud — 415,826 reports, the single largest subcategory, covering both new account openings and takeovers of existing accounts
  2. Other identity theft — 283,468 reports, including online shopping fraud, email and social media account compromise, and medical identity theft
  3. Tax-related fraud — 167,695 reports, in which fraudulent tax returns are filed using a victim's Social Security number to claim refunds
  4. Phone or utilities fraud — 98,468 reports, involving unauthorized new service accounts opened in a victim's name
  5. Bank fraud — 86,163 reports, covering fraudulent account openings and unauthorized electronic fund transfers

(FTC Consumer Sentinel Network Data Book 2023)

The data acquisition mechanisms feeding these fraud types fall into two broad categories: data breach-driven theft, where personally identifiable information (PII) is extracted from institutional databases and sold on secondary markets, and social engineering-driven theft, where victims are manipulated into disclosing credentials or authentication data directly. Both pathways converge in the personal information at risk landscape, which includes Social Security numbers, financial account credentials, medical record identifiers, and government-issued ID numbers.

Common scenarios

The statistical record reveals that identity theft is not evenly distributed. Age, geography, and the type of identifying information exposed are all correlated with incident rates.

Age distribution: The FTC's 2023 data shows that individuals aged 30–39 filed the highest raw number of identity theft reports (223,167 reports), while individuals aged 80 and above filed the lowest (19,247 reports). However, raw counts do not reflect per-capita rates, and senior identity theft research consistently documents elevated per-capita financial losses among older victims due to concentrated retirement assets and lower baseline familiarity with digital fraud vectors.

Child identity theft: Child identity theft is a structurally distinct category because minors' Social Security numbers may go unused in legitimate financial contexts for years, allowing fraudulent accounts to accumulate without detection. Javelin Strategy & Research has documented that children are approximately 51 times more likely to be victimized than adults in certain fraud categories (Javelin Strategy & Research, Child Identity Fraud Report).

Tax identity theft: Tax identity theft follows a predictable seasonal pattern, with fraudulent returns concentrated in the January–April filing window. The IRS Identity Protection PIN (IP PIN) program, administered through the IRS online portal, is the primary institutional mitigation mechanism (IRS IP PIN program).

Medical identity theft: Medical identity theft occupies a distinct legal and operational category because it triggers HIPAA obligations alongside consumer fraud remediation pathways. The HHS Office for Civil Rights maintains a breach portal tracking covered entity incidents affecting 500 or more individuals (HHS Breach Portal).

Account takeover vs. new account fraud: A critical statistical distinction exists between account takeover fraud — in which existing accounts are accessed without authorization — and new account fraud, in which fraudulent accounts are opened using stolen identity data. The FTC's Sentinel data separates these, though both categories draw from the same pool of compromised PII exposed through major US data breaches.

Decision boundaries

The statistics establish clear thresholds that define when a situation crosses from routine credit error into confirmed identity theft requiring formal reporting and remediation.

Regulatory guidance from IdentityTheft.gov — the FTC's federally mandated recovery platform under 15 U.S.C. § 1681c-2 of the Fair Credit Reporting Act — identifies the trigger conditions for escalated response:

The identity theft reporting process formally begins with an FTC Identity Theft Report, which carries legal weight under the FCRA and enables consumers to exercise blocking rights against fraudulent tradelines. A separate identity theft police report may be required by creditors or financial institutions to initiate their own fraud investigation protocols.

The statistical significance of early detection is well documented: the FTC's recovery data indicates that consumers who place an initial fraud alert within 30 days of discovering identity theft report substantially fewer secondary fraudulent accounts than those who delay. The distinction between a standard fraud alert (90-day duration) and an extended fraud alert (7-year duration, available to confirmed identity theft victims) defines two different regulatory postures under FCRA § 605A — the choice between them is a meaningful operational decision, not a formality.

References

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator