D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: INCIDENCE OF IDENTITY THEFT AND IDENTITY FRAUD IN SOCIETY

The value of online identification data (such as unique identifiers, login names and password codes) is a consequence of the increasing availability of services that depend on such data. Since these services are still fairly new and are still struggling to become accepted by the general public, abuses of identification data are also a fairly recent phenomenon. For this reason, identity crime is not a domain that is very commonly studied at this point. The dark number problem further increases the difficulty in obtaining reliable numbers. For example, complaints in the banking sector will typically be reported to the bank first, who has a large vested interest in keeping any problems out of official statistics by settling them privately. After all, if too many complaints are reported, potential users will be less likely to confide in the existing infrastructure, which would harm business growth.

As a consequence, reliable incidence data is extremely rare, and tends to be focused on the United States, where the problem of identity theft has been studied for a longer period of time. Many reports on ID-related crimes pertain to report numbers on ID theft, while in fact these numbers most often represent data on ID fraud. As we have discussed in section , identity theft is best seen as the misappropriation of an identity. The ‘stolen’ identity can, but often is not, used for further offences; ID theft is a breeder offence. The acquired identity can be used for a wide range of crimes, such as drugs or arms trafficking, money laundering, but the most common type of crime linked to identity theft is identity fraud.

In 2005 a number of large scale ID thefts have surfaced, amongst others as a result of Californian legislation obliging companies and non-profit agencies to inform its residents if someone gained unauthorized access to their personal data. For instance, CardSystems, a credit card data processor, in June 2005 reported that 40 million credit card numbers were stolen from their database. Online discount broker Ameritrade Holding Corp. in April 2005 admitted that about 200,000 current and former customers that a backup computer tape containing their personal information has been lost. Bank of America reported the loss of backup tapes containing the financial records of 1.2 million federal employees. DSW lost 1.4 million credit card numbers and the names on those accounts, including information from shoppers in the Pittsburgh area, between November 2004 and February, to thieves. Lexis-Nexis lost personal information of 280,000 people in their databases in April 2005.

Not all of these stolen identity data will actually be used to commit further crimes. As far as we are aware of, no solid data exist with respect to the percentage of the stolen records that is used in further ID crimes.  

With respect to the uses of the stolen identity in the US, the following numbers can be compiled from the various studies According to Elston and Stein, the US Federal Trade Commission reported 94.100 identity theft complaints between November 1999 and September 2001 (Elston and Stein 2002). The Privacy Rights Clearinghouse, another US organisation that collects data on the incidence of ID-theft, claimed that there were no less than 700.000 victims of identity theft in 2001 in the USA alone.

More recent FTC figures show a significant growth in number of consumer complaints about ID-theft ().

Table . Identity theft records.

The September 2003 Synovate report, prepared for the FTC, estimates the following numbers of ID theft victims:

"1.5 percent of survey participants reported that in the last year they had discovered that their personal information had been misused to open new credit accounts, take out new loans, or engage in other types of fraud, such as misuse of the victim’s name and identifying information when someone is charged with a crime, when renting an apartment, or when obtaining medical care (“‘New Accounts & Other Frauds’ ID Theft”).  This result suggests that almost 3.25 million Americans discovered that their personal information had been misused in this kind of fraud in the past year.

2.4 percent of survey participants reported misuse of their information in the last year that was limited to the misuse of one or more of their existing credit cards or credit card account numbers (“Misuse of Existing Credit Cards or Card Numbers”).  0.7 percent of participants reported misuse of one or more of their existing accounts other than credit cards – for example checking or savings accounts or telephone accounts (“Misuse of Existing Non-Credit Card Accounts or Account Numbers”).1

Including all types of ID Theft, a total of 4.6 percent of survey participants indicated that they had discovered they were victims of ID Theft in the past year.  This result suggests that almost 10 million Americans have discovered that they were the victim of some form of ID Theft within the last year.   

percent of survey participants reported that they had discovered that they were victims of “New Accounts & Other Frauds” ID Theft during the previous 5 years.  6.0 percent said that they had discovered that they were victims of the “Misuse of Existing Credit Cards or Card Numbers,” while 2.0 percent indicated that they were victims of the “Misuse of Existing Non-Credit Card Accounts or Account Numbers.”  In total, 12.7 percent of survey participants reported that they had discovered the misuse of their personal information within the last 5 years."

Table . Incidence of ID theft as reported in the Synovate 2003 study for the FTC.

A more detailed breakdown of the uses of misappropriated identity data is provided in the FTC’s  2004 annual report.

NB: percentages sum up to more than 100% because some victims report more than one type of fraudulent reuse. 

Table . Fraudulent reuses of identity information in the US in 2004.

From a financial perspective, Visa and Mastercard (who represent some 75% of the general purpose credit card market) claimed a total loss to identity theft of 114,3 million US$ (roughly 88,9 million €) in 2000.

It is difficult to find reliable European figures. The UK Cabinet Office ID fraud study estimates the annual cost of ID fraud in the UK at £1.3 billion. A breakdown of the estimates suggests that the primary areas are: VAT 215 m£, money laundering 395 £m, credit cards 370 m£, insurance companies 250 m£, fraud reported to CIFAS a UK based credit industry fraud prevention association m£62.5. An interesting point to note on the basis of the UK Cabinet Office figures is that these numbers suggest the prime areas to be Customs related in the public sector and credit cards and insurance fraud in the private sector. However, this is primarily due to the fact that no figures are available with respect to social security fraud and work related fraud (e.g. working permits).

In line with US trends, also in the UK the number of ID fraud cases appears to rise. It is the fastest growing type of fraud in the UK; identity fraud is regarded as the biggest fraud problem facing society. CIFAS, for instance, claimed in January 2005 that identity theft rose by 600% between 1999 and 2004. More generally, identity fraud is an international concern and an increasing threat, e.g. also in Australia it is the fastest growing type of crime. The international perspective reveals that identity fraud crosses boundaries. The emergence of financial customer service centres in developing countries to serve European customers will have new implications for identity fraud.

Corporate Identity Theft and Fraud

Reports in the press about identity theft commonly focus on the individual. An equally significant type of identity theft and fraud involves companies. ‘Long firm fraud’ is one example of corporate identity fraud where a fraudster creates a company trading history allowing them to conduct transactions and then disappear. Another kind of corporate identity fraud is company cloning. Here a company’s identity is used to perform new transactions (not necessarily fraudulent) and/or provide new services reusing the reputation of the company.

Yet another type of corporate identity fraud specifically targets companies that do not take credit card payments. Fraudsters set up an account with a merchant payment service under the name of the company. Once the account is established, it can be used to harvest stolen credit card numbers. The fraudsters make payments to the newly established account, siphon the funds on this account off into their own bank accounts, and vanish. The genuine company is then saddled with the consequences of this scam, as the merchant payment service will hold it, at least initially, accountable for the fraudulent credit card transfers. 

These kinds of corporate identity fraud can harm companies in multiple ways, including financial loss, damage to reputation, loss of actual and potential customers, industrial sabotage and industrial espionage leading to loss of competitive advantage and revenues.  

Individual identity fraud for the purpose of defrauding a company 

Identity fraud may be used by employees who apply under a false or stolen identity for a job and use their insider position to defraud the company. It may also be used by clients or suppliers that work with company. Individuals for example may combine long firm fraud, mentioned previously, with identity theft of another individual (e.g. a director of another company), in order to create a company with a forged background and history, which can then be used to defraud yet another company. 

Corporate identity fraud for the purpose of defrauding an individual 

The best known example in this category is phishing which was described in detail in section . In these types of scams, fraudsters use emails and fraudulent websites that hijack the brand of a well-known company (in 70-80% of cases these are financial companies). This is essentially ‘stealing’ the company’s identity in order to fool individuals into divulging information such as passwords or bank account details. It is estimated that up to 5% of recipients respond to such emails. Another example is the case of companies selling bad medicine using the name of real companies producing these medicines.