Identity Theft Types and Definitions
Identity theft spans a broad spectrum of fraud categories, each defined by the type of credential compromised, the sector targeted, and the method of exploitation. The Federal Trade Commission (FTC) classifies identity theft across consumer, financial, medical, governmental, and criminal domains — distinctions that determine both the remediation pathway and the applicable legal framework. Understanding the classification structure allows individuals, compliance officers, and fraud investigators to apply the correct protective and recovery mechanisms to a given incident. For statistical context on the scale of each category, identity theft statistics for the US provides a reference baseline.
Definition and Scope
Identity theft, as defined under the Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C. § 1028), occurs when a person knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity. The statute covers names, Social Security numbers, dates of birth, government-issued identification numbers, financial account numbers, and biometric data as protected identifiers.
The FTC's IdentityTheft.gov platform, which serves as the federal government's primary identity theft recovery portal, organizes incident types into 9 broad categories in its annual consumer sentinel reporting. The broadest regulatory framing appears in the Fair Credit Reporting Act (15 U.S.C. § 1681), which establishes consumer rights when fraudulent accounts or inquiries appear on credit files — a downstream consequence of nearly every identity theft variant.
The scope of identity theft extends across four classification zones:
- Consumer financial identity theft — unauthorized use of credit, debit, or banking credentials
- Governmental identity theft — misuse of Social Security numbers, tax records, or benefit program access
- Medical identity theft — fraudulent use of insurance credentials or patient identification
- Criminal and synthetic identity theft — use of another person's identity during law enforcement encounters, or the fabrication of composite identities using real data fragments
How It Works
Identity theft follows a consistent three-phase operational structure regardless of the specific type:
-
Acquisition — The perpetrator obtains personally identifiable information (PII) through data breaches, phishing, physical theft, social engineering, or dark web purchase. The personal information at risk reference page details which data elements carry the highest exposure.
-
Exploitation — The acquired PII is used to open new accounts, file fraudulent claims, make unauthorized transactions, or impersonate the victim in institutional or law enforcement contexts.
-
Concealment — The perpetrator takes steps to delay discovery: changing account contact information, intercepting mail, or using the victim's identity intermittently across extended periods. Medical and criminal identity theft are particularly difficult to detect because victims often have no direct financial account monitoring mechanism.
The Identity Theft Enforcement and Restitution Act of 2008 (Pub. L. 110-326) extended federal jurisdiction over identity theft crimes committed without using interstate communications — closing a gap that previously exempted locally-contained fraud schemes.
Common Scenarios
The following categories represent the primary identity theft types recognized across federal enforcement, credit bureau reporting, and consumer protection frameworks.
Financial Identity Theft
The most prevalent category by volume, financial identity theft involves the unauthorized use of banking, credit, or investment account credentials. New account fraud — where a criminal opens lines of credit in a victim's name — is distinct from account takeover fraud, where an existing account is compromised. Account takeover fraud and new account fraud follow different detection and remediation pathways, with account takeover typically discoverable through real-time transaction alerts and new account fraud often surfacing only on credit reports.
Tax Identity Theft
Tax identity theft occurs when a fraudulent tax return is filed using a victim's Social Security number to claim a refund before the legitimate return is submitted. The IRS Identity Protection PIN (IP PIN) program, administered under Internal Revenue Code § 6109, provides an opt-in defense mechanism for eligible taxpayers. The IRS Criminal Investigation division reported 15,242 identity theft-related tax fraud investigations in fiscal year 2022 (IRS Data Book 2022).
Medical Identity Theft
Medical identity theft involves the fraudulent use of a victim's health insurance credentials to obtain medical services, prescription drugs, or equipment reimbursements. The Department of Health and Human Services Office for Civil Rights (HHS OCR) enforces HIPAA provisions that bear on unauthorized disclosure of protected health information — though HIPAA does not itself create a private right of action for identity theft victims.
Synthetic Identity Fraud
Synthetic identity fraud does not target a single real individual's complete identity. Instead, fraudsters combine a real Social Security number — often belonging to a child, incarcerated person, or recently deceased individual — with fabricated names, addresses, and birthdates to construct a fictitious identity. The Federal Reserve identified synthetic identity fraud as the fastest-growing financial crime in the United States in its 2019 payments study (Federal Reserve Synthetic Identity Fraud).
Child Identity Theft
Child identity theft exploits the clean credit profile of minors, whose Social Security numbers are rarely monitored. Fraud may go undetected for years — until the child applies for student loans, employment, or housing and discovers existing derogatory account history.
Criminal Identity Theft
Criminal identity theft occurs when an arrested individual provides law enforcement with a victim's name and identifying documents instead of their own. The victim may face warrants, driver's license suspensions, or background check failures with no corresponding financial loss, making traditional credit monitoring ineffective as a detection tool.
Senior Identity Theft
Senior identity theft encompasses financial exploitation, Medicare fraud, and targeted phishing schemes directed at adults over 60. The FBI's Elder Fraud Report 2022 documented $3.1 billion in losses among victims over age 60 (FBI Elder Fraud Report 2022).
Decision Boundaries
Distinguishing identity theft types requires mapping the evidence to specific definitional criteria:
| Category | Primary Identifier Compromised | Detection Mechanism | Primary Regulatory Body |
|---|---|---|---|
| Financial | Account numbers, credit file | Credit report, bank alerts | CFPB, FTC |
| Tax | Social Security number | IRS notice, return rejection | IRS |
| Medical | Insurance ID, patient number | EOB statements, medical records | HHS OCR |
| Synthetic | SSN fragment + fabricated data | Authorized user anomalies | CFPB, FinCEN |
| Child | Minor's SSN | Credit pull at age 18 | FTC, CFPB |
| Criminal | Government-issued ID | Background check, warrant search | FBI, state law enforcement |
Financial vs. Synthetic: The critical distinction between standard financial identity theft and synthetic identity fraud is whether a real, complete person's identity is used (financial) or whether a composite record is constructed (synthetic). Synthetic fraud bypasses identity verification checks that rely on matching a name to a SSN, because the synthetic identity may have a credit history that appears internally consistent.
Account Takeover vs. New Account Fraud: Account takeover involves existing relationships between the victim and a financial institution; the institution already holds the victim's verified profile. New account fraud creates a new relationship using stolen or fabricated credentials, generating credit inquiries and new tradelines that appear on the victim's credit report. A credit freeze prevents new account fraud but does not block transactions on existing compromised accounts.
Incidents involving SIM swapping or compromised multi-factor authentication may overlap with financial identity theft, account takeover, and new account fraud simultaneously — requiring coordinated response across carriers, financial institutions, and credit bureaus rather than a single-track remediation process.
References
- Federal Trade Commission — Identity Theft Resources (IdentityTheft.gov)
- 18 U.S.C. § 1028 — Identity Theft and Assumption Deterrence Act
- Fair Credit Reporting Act — 15 U.S.C. § 1681 (FTC)
- Identity Theft Enforcement and Restitution Act of 2008 — Pub. L. 110-326
- IRS Data Book 2022 — Identity Theft Investigation Statistics
- HHS Office for Civil Rights — HIPAA
- Federal Reserve — Synthetic Identity Fraud in the US Payment System (2019)