Identity Theft Types and Definitions

Identity theft encompasses a broad category of fraud in which a perpetrator obtains and misuses another person's personally identifiable information (PII) without authorization — typically to gain financial benefit, evade legal accountability, or access services. The Federal Trade Commission (FTC) received 1.4 million identity theft reports in 2022 (FTC Consumer Sentinel Network Data Book 2022), making it the most frequently reported fraud category in the United States. This page maps the major classifications of identity theft, the mechanisms that enable each type, and the definitional boundaries that distinguish overlapping categories within the service landscape covered by the Identity Protection Providers.

Definition and scope

The FTC's Identity Theft Program, codified at 16 C.F.R. Part 603, defines identity theft as fraud committed or attempted using the identifying information of another person without lawful authority. The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) provides the statutory foundation governing how consumer reporting agencies must respond when identity theft is documented. At the federal criminal level, 18 U.S.C. § 1028 establishes identity fraud as a federal offense, with aggravated identity theft under § 1028A carrying a mandatory 2-year sentence enhancement.

Identity theft is classified across five primary domains by the FTC's reporting taxonomy:

  1. Financial identity theft — unauthorized use of identifying information to open credit accounts, take out loans, or conduct financial transactions
  2. Medical identity theft — use of a victim's name or health insurance credentials to obtain medical services, prescriptions, or equipment
  3. Tax identity theft — filing fraudulent tax returns using a victim's Social Security Number to claim refunds
  4. Criminal identity theft — presenting a victim's identity to law enforcement during arrest or investigation
  5. Synthetic identity theft — fabricating a new identity by combining real PII (such as a Social Security Number) with fictitious personal details

Each type triggers distinct reporting pathways, recovery procedures, and regulatory oversight bodies. The outlines how these categories organize the service landscape catalogued within this resource.

How it works

Identity theft proceeds through three operational phases regardless of the specific type involved:

Phase 1 — Acquisition. The perpetrator obtains PII through data breaches, phishing attacks, physical theft of documents, account takeover, or purchase of stolen credentials on dark web markets. The Identity Theft Resource Center (ITRC) tracked 1,802 data compromises in 2022, affecting an estimated 422 million individuals (ITRC 2022 Annual Data Breach Report).

Phase 2 — Exploitation. Acquired credentials are used to impersonate the victim. In financial identity theft, this typically involves submitting credit applications. In tax identity theft, a fraudulent Form 1040 is filed before the legitimate taxpayer. In medical identity theft, a perpetrator presents insurance credentials at a provider facility. Synthetic identity theft introduces a delay phase: fabricated identities are often "aged" by establishing thin credit files before large-scale fraud is executed.

Phase 3 — Concealment. Perpetrators route transactions through mule accounts, falsify contact information on new accounts, or redirect mail. The victim typically discovers the fraud only through a credit denial, unexpected collection notice, IRS correspondence, or an alert from a monitoring service.

NIST Special Publication 800-63-3 (Digital Identity Guidelines) identifies authentication assurance levels as a core mitigation mechanism — weak authentication at identity-proofing stages enables acquisition to succeed even when the underlying PII is partially fabricated, as in the synthetic identity model.

Common scenarios

Financial account fraud remains the most reported subtype, accounting for 40% of identity theft reports in the FTC's 2022 data. Credit card fraud alone represented 441,822 reports that year (FTC Consumer Sentinel Network Data Book 2022). Perpetrators use breached card numbers for card-not-present transactions or apply for new credit using full identity profiles.

Tax identity theft peaks between January and April, when fraudulent returns are filed in advance of legitimate filers. The IRS Identity Protection PIN (IP PIN) program, administered under IRS Publication 5367, mitigates this by requiring a 6-digit PIN known only to the taxpayer and the IRS.

Medical identity theft produces downstream harm beyond financial loss: fraudulent entries in medical records can alter documented blood type, diagnoses, or medication histories, creating patient safety risks. The Department of Health and Human Services Office for Civil Rights (HHS OCR) oversees breaches involving protected health information under the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414).

Synthetic identity fraud is structurally distinct from the other types because no single real individual is victimized in full. The Federal Reserve Bank of Boston estimated synthetic identity fraud to be the fastest-growing financial crime in the United States, costing lenders approximately $6 billion annually (Federal Reserve Bank of Boston, Synthetic Identity Fraud, 2019). Because credit bureaus may assign thin-file or "ghost" profiles to synthetic identities, traditional fraud detection tools produce lower alert rates.

Decision boundaries

Distinguishing between identity theft types is not a semantic exercise — each type routes to a different recovery infrastructure, regulatory body, and documentation standard.

Financial vs. synthetic identity theft: In financial identity theft, a real victim can document unauthorized accounts and dispute them under the FCRA's block procedure (15 U.S.C. § 1681c-2). Synthetic identity theft may not trigger a victim dispute because the fabricated identity does not correspond to a real consumer who receives notices. Lenders bear the primary loss, not an individual victim.

Tax identity theft vs. general fraud: Tax identity theft is specifically addressed by the IRS through the Identity Theft Affidavit (Form 14039) and the Taxpayer Protection Program. General financial fraud does not qualify for these IRS administrative processes.

Medical identity theft vs. HIPAA breach: A HIPAA breach is a covered entity's failure to protect PHI — it may or may not involve active identity theft. Medical identity theft requires affirmative misuse of a patient's identity by a third party. HHS OCR handles HIPAA breach enforcement; the FTC handles identity theft remediation via IdentityTheft.gov. The two tracks can apply simultaneously.

Criminal identity theft: This type cannot be resolved through credit bureau disputes or IRS processes. Remediation requires direct engagement with the law enforcement agency that recorded the false identity, often requiring a court order to expunge arrest records. The process is administered at the state level, with procedures varying across all 50 states.

Professionals and service seekers navigating recovery workflows across these categories will find the how to use this identity protection resource page useful for understanding how the provider network structures provider providers by type and recovery phase.

 ·   · 

References

Read Next

Identity Protection Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Providers The identity... Identity Protection Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Network: Purpose and Scope... Identity Theft Statistics: US National Data ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Theft Statistics: US National Data...