Identity Theft Statistics: US National Data

Identity theft in the United States generates measurable, trackable harm across financial, medical, tax, and government benefit systems — and federal agencies publish annual datasets that define the scope of that harm with statistical precision. This page organizes the primary national data sources, explains how identity theft is classified and counted, describes the principal scenarios reflected in reporting data, and defines the boundaries that determine which events are counted as identity theft versus adjacent fraud categories. Professionals using the Identity Protection Providers or researching the sector through this reference will find the statistical landscape mapped to its regulatory and definitional foundations.

Definition and scope

Identity theft, as a statistical category, is defined by the Federal Trade Commission under 16 C.F.R. Part 603 as the unauthorized use of another person's means of identification to commit, or to aid or abet, any unlawful activity. The FTC's Consumer Sentinel Network is the primary national data repository, aggregating reports from consumers, law enforcement, and partner organizations. The FTC published 1.4 million identity theft reports in 2022, representing roughly 23 percent of all fraud reports filed with the agency that year (FTC Consumer Sentinel Network Data Book 2022).

The Bureau of Justice Statistics (BJS) tracks identity theft victimization through the National Crime Victimization Survey (NCVS), which captures incidents not reported to law enforcement — a structurally different measurement than FTC complaint counts. According to the BJS Identity Theft Supplement, an estimated 23.9 million Americans age 16 or older experienced at least one type of identity theft in 2021, representing approximately 9 percent of the US population in that age group.

These two data streams — complaint-based FTC data and victimization-survey BJS data — measure different populations and should not be treated as equivalent counts. The FTC count reflects motivated reporters; the BJS count estimates total population exposure including unreported incidents.

How it works

Identity theft operates through a sequence of discrete phases, each of which may involve different perpetrators, systems, and regulatory jurisdictions:

1. Acquisition — Personally identifiable information (PII) is obtained through data breaches, phishing campaigns, physical theft, account takeover, or social engineering. The Identity Theft Resource Center (ITRC) reported 1,802 data compromises in 2022, affecting an estimated 422 million individuals (ITRC 2022 Annual Data Breach Report).
2. Exploitation — The acquired PII is used to open new accounts, file fraudulent tax returns, submit false benefit claims, obtain medical services, or take over existing financial accounts.
3. Discovery — Victims typically discover identity theft through a credit denial, unexpected bill, IRS notice, or monitoring alert — often weeks to months after initial exploitation.
4. Reporting — Victims may report to the FTC via IdentityTheft.gov, to the three major consumer reporting agencies (Equifax, Experian, TransUnion), and to the relevant creditor or government agency.
5. Recovery — The Fair Credit Reporting Act (15 U.S.C. § 1681c-2) provides a statutory right to block fraudulent tradelines from consumer reports, a process coordinated between the victim, the FTC identity theft report, and the reporting agency.

The Social Security Administration Office of the Inspector General and the Internal Revenue Service Criminal Investigation division each maintain parallel tracking for benefit fraud and tax-related identity theft, respectively — two categories that do not always appear in FTC complaint data.

Common scenarios

FTC Consumer Sentinel data classifies identity theft reports into distinct subcategories. The most frequently reported types in 2022 were:

• Government documents and benefits fraud — the largest single subcategory, accounting for approximately 395,000 reports, driven largely by pandemic-era unemployment insurance fraud (FTC Consumer Sentinel Network Data Book 2022).
• Credit card fraud (new accounts) — roughly 215,000 reports, reflecting the opening of new credit lines using stolen identity credentials.
• Credit card fraud (existing accounts) — approximately 175,000 reports, classified separately because existing-account takeover involves different fraud mechanisms and recovery pathways than new-account fraud.
• Loan or lease fraud — includes auto loans, personal loans, student loans, and real estate-related misuse.
• Bank and savings account fraud — unauthorized access or new account creation at depository institutions.
• Tax fraud — fraudulent federal or state returns filed using a victim's Social Security number, tracked jointly by the FTC and the IRS Identity Protection Specialized Unit.
• Medical identity theft — use of a victim's insurance credentials or identity to obtain medical services or equipment, with reporting intersecting HHS Office for Civil Rights jurisdiction under HIPAA.

Medical identity theft is structurally distinct from financial identity theft: the harm includes corrupted medical records that persist in clinical systems and may affect patient safety, not only credit or financial accounts. The World Privacy Forum has documented this category as one with the longest average resolution timelines.

Decision boundaries

Not all fraud constitutes identity theft under the statistical definitions used by federal agencies. The distinction has direct consequences for which recovery pathways apply and how events are counted.

Identity theft vs. general fraud: General fraud involves deception for financial gain but does not necessarily involve misuse of another person's identity credentials. The FTC separates these in Consumer Sentinel reporting; impersonation scams where no PII account is opened or used under the victim's identity are categorized differently.

New-account fraud vs. account takeover: New-account fraud involves creating financial instruments in a victim's name — triggering FCRA block rights and credit freeze protections under 15 U.S.C. § 1681c-1. Account takeover involves unauthorized access to existing accounts and activates different remediation channels, including bank-level dispute resolution under Regulation E (12 C.F.R. Part 1005) for electronic fund transfers.

Reported vs. estimated victimization: FTC complaint counts are floor estimates only. The BJS NCVS methodology captures a statistically representative sample and projects population-level exposure — consistently producing estimates 10 to 15 times higher than complaint-based counts for financial identity theft.

Understanding these distinctions is foundational to using national statistics accurately, whether in policy research, service design, or navigating recovery resources. The outlines how these statistical categories map to the service landscape covered in this reference, and how to use this identity protection resource provides additional context on navigating the sector's data and regulatory frameworks.