1 billion reasons to protect your identity online

Corporate data breaches are a gateway to identity fraud, but they’re not the only one. Here’s a lowdown on how your personal data could be stolen – and how to make sure it isn’t.

08 Apr 2025
 • 
,
5 min. read

Data breaches are a growing threat to companies and a nightmare for their customers. According to the latest figures, 2024 witnessed 3,158 publicly reported incidents in the US – just short of the all-time high. Over 1.3 billion data breach notification letters had to be sent out to victims as a result, with more than a billion of them caught up in five mega breaches of over 100 million records each.

The bad news is that this is just the tip of the iceberg. There are many other ways that your personally identifiable information (PII) could get into the wrong hands. Once circulating in the cybercrime underground, it’s only a matter of time before it is used in identity fraud attempts.

What’s at stake?

What data are we talking about? It could include:

• Names and addresses
• Credit/payment card numbers
• Social Security or government ID numbers
• Bank account numbers
• Medical insurance details
• Passport/driver’s license
• Logins to corporate and personal online accounts

Once your personal data has been stolen, either in a massive data breach or via one of the many methods listed below, this data will likely be sold or given away to others for use in various fraud schemes. This could range from illegal purchases to account takeover (ATO), new account fraud, or phishing schemes designed to elicit even more sensitive information. In some cases, real details are mixed with machine-generated ones to create synthetic identities which are harder for fraud filters to block.

It’s big business. According to Javelin Strategy & Research, identity fraud and scams cost Americans $47bn in 2024 alone.

How does identity theft work?

Identity fraud ultimately comes down to data. So how could cybercriminals typically get yours? If they’re not stealing large troves of it from third-party organizations you do business with, the top vectors for more targeted attacks against individuals are:

• Phishing/smishing/vishing: Classic social engineering attacks can come via various channels, ranging from traditional email phishing, to texts (smishing) and even phone calls (vishing). The threat actor will typically use tied-and-tested techniques to trick you into doing their bidding, which is usually either clicking on a malicious link, filling out personal information or opening a malicious attachment. These include use of official branding to impersonate a well-known company or institution, and tricks like caller ID or domain spoofing.
• Digital skimming: To get hold of your card details, threat actors may insert malicious skimming code into the web pages of a popular e-commerce or similar site. The whole process is completely invisible to the victim.
• Public Wi-Fi: Unsecured public Wi-Fi networks can facilitate man-in-the-middle attacks where your personal information is intercepted. Hackers might also set up rogue hotspots to collect data and redirect victims to malicious sites.
• Malware: Infostealer malware is a growing problem for both corporate users and consumers. It can be unwittingly installed via various mechanisms, including phishing messages, drive-by-downloads from infected websites, cracked games, Google Ads, or even legitimate-looking applications including fake meeting software. Most infostealers harvest files, data streams, card details, crypto assets, passwords and keystrokes.
• Malvertising: Malicious ads can be programmed to steal information, sometimes without even demanding user interaction.
• Malicious websites: Phishing sites can be spoofed to appear as if they are the real thing, right down to faked domain. In the case of drive-by-downloads, all a user has to do is visit a malicious page and a covert malware install will begin. Often, malicious websites are pushed to the top of search rankings so they have more exposure, thanks to nefarious SEO techniques.
• Malicious apps: Malware, including banking Trojans and infostealers, can be disguised as legitimate apps, with the risks particularly high outside official app stores like Google Play.
• Loss/theft of devices: If your device goes missing and doesn’t have adequate protection, hackers could raid it for personal and financial data.

How to prevent identity fraud

The most obvious way to prevent identity fraud is to stop the bad guys getting at your personal and financial information in the first place. It requires a series of steps that, when applied together, can do a good job of achieving just this. Consider the following:

• Strong, unique passwords: Choose a different password for each site/app/account, and store them in a password manager which will recall them seamlessly for you. Enhance this by switching on two-factor authentication (2FA) in your online accounts. It means that, even if a threat actor obtains your password, they won’t be able to use it. An authenticator app or hardware security key is the best option for 2FA.
• Install security software: Use security software from a reputable vendor for all of your devices and PCs. This will scan and block malicious apps and downloads, detect and block phishing websites and flag suspicious activity, among many other things.
• Be skeptical: Always be on the lookout for the warning signs of phishing: an unsolicited message urging prompt action, containing clickable links or attachments to open. The sender may use tricks such as time-sensitive prize draws, or warnings that a fine will be levied unless you reply ASAP.  
• Only use apps from legitimate sites: Stick to the Apple App Store and Google Play in the mobile world, to limit your exposure to malicious apps. Always check reviews and permissions before downloading.
• Be wary of public Wi-Fi: Steer clear of public Wi-Fi or, if you can’t avoid it, try not to open any sensitive accounts while logged on. Either way, use a VPN in order to stay safer.

Responding to a breach

There’s nothing much you can do about third-party data breaches, aside from electing not to save your payment card and personal details when buying items. This will mean there’s less for threat actors to steal if they do manage to breach a company you do business with. However, it also pays to take a proactive approach. Some identity protection products scour the dark web for your details, to see if they have already been breached, for example. If there’s a match, it could give you time to cancel cards, change passwords and take other precautions. It also pays to keep an eye open for suspicious activity in your bank accounts.

Other post-breach steps could include:

• Freezing your credit: Do so with each of the three main credit bureaus. This prevents them from sharing your credit report with third parties, meaning fraudsters can’t open new accounts in your name.
• Tell your bank: Freeze your cards (this can be done via most banking apps), report fraud and request replacement cards.
• File a report: Tell the police and potentially the FTC (in the US). By publicizing your own victimization, it could help others. Also file with any relevant agencies; i.e., driver’s license theft should be reported to the DMV.
• Change your logins: Change any compromised credentials and switch on 2FA.

Identity fraud continues to be a threat because it is relatively easy for threat actors to start making healthy profits. By reducing the avenues they can use to extract our personal information, we can discomfort our adversaries and hopefully keep our own digital lives safe and secure.