What is Identity Theft?

What Is Identity Theft?

Identity theft occurs when someone steals your personal information and uses it to impersonate you, typically for financial gain. This can include using your name, address, date of birth, National Insurance number, bank details, or any other personal data to open accounts, make purchases, take out loans, or commit other forms of fraud in your name.

It is one of those crimes that feels abstract until it happens to you. But for the millions of people affected every year, the consequences are anything but abstract -- damaged credit scores, months spent resolving fraudulent accounts, financial losses, and the deeply unsettling feeling that someone is out there pretending to be you.

For businesses, identity theft represents a serious risk on multiple fronts. You could be the target (where criminals steal your employees' or your company's data), the unwitting accomplice (where a fraudster uses stolen identity information to transact with your business), or the victim (where your business suffers financial losses from fraud enabled by identity theft).

How Identity Theft Happens

Criminals obtain personal information through a wide variety of methods, some surprisingly low-tech and others highly sophisticated:

Data Breaches

Large-scale data breaches at companies, government agencies, and other organisations regularly expose millions of people's personal details. Once this data is leaked -- names, addresses, email addresses, passwords, and sometimes financial information -- it is traded and sold on dark web marketplaces. A single major breach can provide criminals with enough raw material for thousands of identity theft attempts.

Phishing and Social Engineering

Fraudsters send emails, text messages, or make phone calls designed to trick people into revealing personal information. A phishing email might look like it comes from your bank, asking you to "verify" your account details. A phone call might impersonate HMRC, claiming you owe unpaid tax and demanding immediate payment. These attacks exploit trust and urgency, and they work far more often than you might expect.

Physical Theft

Stolen wallets, intercepted post, documents taken from bins -- these old-fashioned methods are still in use. A single piece of post containing your full name, address, and account number can be enough for a criminal to start building a fraudulent identity in your name. This is why businesses should securely dispose of documents containing personal or financial information.

Public Information and Social Media

People share enormous amounts of personal information online without realising the risk. Your date of birth, mother's maiden name, the street you grew up on, your pet's name -- all of these are commonly used as security questions, and they are often freely available on social media profiles. A determined fraudster can piece together a surprisingly complete picture of someone's identity from public sources alone.

The Impact on Individuals

For individuals, identity theft can be devastating. The immediate financial impact -- fraudulent transactions, loans taken out in their name, emptied bank accounts -- is often just the beginning. Victims typically spend weeks or months working with banks, credit agencies, and law enforcement to prove they did not authorise the transactions and to have fraudulent accounts closed.

Credit scores can be severely damaged, making it difficult to get a mortgage, rent a property, or even open a new bank account. In some cases, victims discover the theft only when they are refused credit or contacted by debt collectors about accounts they never opened. The emotional toll -- stress, anxiety, and the feeling of violation -- should not be underestimated.

The Impact on Businesses

Businesses bear significant costs from identity theft, whether they are directly targeted or used as a channel for fraudulent transactions. These costs include:

• Financial losses -- chargebacks, refunds, and write-offs from transactions made using stolen identities
• Operational costs -- staff time spent investigating fraud cases, processing disputes, and managing the aftermath
• Regulatory penalties -- under GDPR and the Data Protection Act 2018, businesses that fail to adequately protect personal data can face substantial fines
• Reputational damage -- customers lose trust in businesses that are associated with fraud or data breaches, and regaining that trust is a long and expensive process

Identity Theft and Telephone Payments

The telephone payment channel is particularly relevant to identity theft for several reasons. When a customer calls to make a payment, the business needs to verify their identity, but the methods available over the phone are inherently limited. You cannot check a photo ID over the phone. You cannot use biometric verification unless you have specific technology in place. Typically, verification relies on knowledge-based questions -- asking for information that the legitimate customer should know.

The problem is that much of this information may already be in the hands of a fraudster who has stolen the customer's identity. If a criminal has the customer's name, address, date of birth, and card details, they can often pass telephone verification checks without difficulty. This makes training agents to recognise inconsistencies and suspicious behaviour critically important.

There is also the data protection angle. Every time an agent handles personal information over the phone -- whether that is the customer's address, card number, or account details -- there is a risk that this data could be compromised. Call recordings, agent notes, and CRM entries all become potential targets for data theft. This is why solutions that minimise the amount of personal and financial data that passes through the agent environment are so valuable from an identity theft prevention perspective.

How Businesses Can Protect Themselves and Their Customers

Preventing identity theft requires a combination of technical measures, operational procedures, and awareness:

• Minimise data collection -- only collect and store the personal information you genuinely need. The less data you hold, the less there is to steal
• Secure data storage -- encrypt personal data at rest and in transit, implement access controls, and regularly audit who has access to sensitive information
• Train your staff -- agents and employees who handle personal data should understand the risks, know how to spot suspicious behaviour, and follow clear procedures for identity verification
• Implement strong authentication -- where possible, use multi-factor authentication rather than relying solely on knowledge-based verification
• Monitor for unusual activity -- set up systems to flag transactions or account changes that do not match normal patterns
• Use secure payment solutions -- for telephone payments, using DTMF masking or similar technology keeps card data out of the agent environment, reducing the risk of data being captured and used for identity theft
• Dispose of data securely -- shred physical documents and follow proper data destruction procedures for digital records

The Legal Framework

In the UK, identity theft is covered by several pieces of legislation, including the Fraud Act 2006, the Identity Documents Act 2010, and the Computer Misuse Act 1990. The Data Protection Act 2018 (which incorporates GDPR into UK law) places specific obligations on businesses to protect personal data and to report breaches to the Information Commissioner's Office (ICO) within 72 hours.

Businesses that suffer a data breach leading to identity theft may face ICO investigation and potentially significant fines. Beyond the legal requirements, there is a clear business case for taking identity theft prevention seriously -- the cost of prevention is almost always lower than the cost of dealing with the consequences.