What is Identity Theft?

What Is Identity Theft?

Identity theft is when someone steals your personal information and uses it to pretend to be you, almost always for financial gain. They take your name, address, date of birth, National Insurance number, bank details, card numbers — whatever they can get — and use it to open accounts, take out loans, buy things, or commit other fraud in your name.

It's the kind of crime that feels abstract until it hits you. For the millions of people affected every year, the consequences are very concrete: damaged credit scores, months of unpicking fraudulent accounts, financial losses, and the deeply unsettling feeling that someone out there is pretending to be you.

For businesses, identity theft is a problem on three fronts. You can be the target — criminals stealing your employees' or your company's data. You can be the unwitting accomplice — a fraudster using stolen identity information to transact with you. Or you can be the victim — taking financial losses from fraud enabled by identity theft somewhere else in the chain.

How Identity Theft Happens

Criminals get hold of personal information through a mix of methods, some surprisingly low-tech and some highly sophisticated.

Data Breaches

Large-scale breaches at companies, government bodies, and other organisations leak millions of personal records every year. Once that data is out — names, addresses, emails, passwords, sometimes financial detail — it gets traded and sold on dark-web markets. A single big breach can feed thousands of identity-theft attempts. The 2017 Equifax breach exposed 147 million people's records. Most of those records are still in active use a decade later.

Phishing and Social Engineering

Fraudsters send emails, texts, or make calls designed to trick people into giving up personal information. A phishing email mocked up to look like NatWest, asking you to "verify" your account. A call impersonating HMRC, telling you you've got unpaid tax and need to pay right now. These attacks lean on trust and urgency, and they work far more often than you'd hope. The clever ones don't ask for everything at once — they ask for one detail today and use it to extract the next one tomorrow.

Physical Theft

Stolen wallets, intercepted post, documents fished out of bins — old-fashioned but still in use. A single bank statement with your name, address, and account number is enough for a fraudster to start building a case in your name. That's why proper disposal of paper records matters more than it gets credit for.

Public Information and Social Media

People share astonishing amounts of personal information online without thinking about it. Date of birth, mother's maiden name, the street you grew up on, your first pet's name — every one of those is a common security question, and every one of them is sitting in plain sight on a Facebook profile somewhere. A determined fraudster can stitch together a startlingly complete identity from public sources alone.

The Impact on Individuals

For individuals, identity theft can be devastating. The immediate financial hit — fraudulent transactions, loans in their name, emptied accounts — is just the start. Victims typically spend weeks or months working with banks, credit reference agencies (Experian, Equifax, TransUnion), and police to prove they didn't authorise the transactions and to get fraudulent accounts closed.

Credit scores take a battering, which makes it harder to get a mortgage, rent a flat, or even open a new bank account. Some victims only discover the theft when they're refused credit or get chased by a debt collector for an account they never opened. The emotional side — stress, anxiety, the sense of being violated — gets less attention than the financial damage, but it's real.

The Impact on Businesses

Businesses carry significant costs from identity theft, whether they're directly targeted or just used as a channel for fraudulent transactions:

• Financial losses — chargebacks, refunds, and write-offs from transactions made with stolen identities
• Operational costs — staff time spent investigating fraud, processing disputes, and clearing up the aftermath
• Regulatory penalties — under GDPR and the Data Protection Act 2018, failing to adequately protect personal data can bring substantial fines from the ICO
• Reputational damage — customers lose trust in businesses associated with fraud or breaches, and rebuilding that trust takes years

Identity Theft and Telephone Payments

The phone channel is particularly exposed to identity theft for a few reasons. When a customer rings in to pay, you need to verify them, but the tools you've got over the phone are limited. You can't check a photo ID. You can't use biometrics unless you've specifically built it in. So verification falls back on knowledge questions — things the real customer should know.

The problem is that those same things are often already in the fraudster's hands. If they've got the name, address, date of birth, and card details from a breach, they can sail through telephone verification. That's why training agents to spot inconsistencies — the slightly wrong postcode, the hesitation when asked for the second line of the address, the urgency that doesn't quite fit the situation — matters as much as any technical control.

Then there's the data protection angle. Every time an agent handles personal information over the phone — address, card number, account details — that data is briefly in the contact centre. Call recordings, agent notes, CRM entries all become potential targets. The less personal and financial data passing through the agent environment, the less surface area there is for an identity-theft attack to land. That's why solutions that minimise what the agent ever sees pay back twice — once on PCI scope, once on identity theft exposure.

How Businesses Can Protect Themselves and Their Customers

Preventing identity theft takes a combination of technical controls, operational discipline, and awareness:

• Minimise data collection — only collect and store what you actually need. The less you hold, the less there is to steal.
• Secure data storage — encrypt personal data at rest and in transit, restrict access, audit who can see what.
• Train your staff — anyone handling personal data should understand the risks, know how to spot odd behaviour, and follow a clear verification procedure.
• Implement strong authentication — multi-factor where you can, rather than relying purely on knowledge-based questions.
• Monitor for unusual activity — flag transactions or account changes that don't match the customer's normal pattern.
• Use secure payment solutions — for phone payments, DTMF masking keeps card data out of the agent environment entirely, which removes one of the easiest data sources for identity-theft attacks.
• Dispose of data securely — shred paper, properly destroy old drives, follow a documented retention and deletion schedule.

The Legal Framework

In the UK, identity theft sits across several pieces of legislation — the Fraud Act 2006, the Identity Documents Act 2010, the Computer Misuse Act 1990. The Data Protection Act 2018 (which brings GDPR into UK law) puts specific obligations on businesses to protect personal data and to report breaches to the Information Commissioner's Office within 72 hours.

A business that suffers a breach leading to identity theft can face ICO investigation and significant fines. Beyond the regulatory side, the business case for prevention is straightforward — paying for prevention is almost always cheaper than paying for the consequences. The cleanup after a breach takes longer than anyone thinks, and the customers who walked away rarely come back.