Identity Theft Statistics 2026: What the Data Actually Shows

The Scale of Identity Theft in 2026

Identity theft is not a niche concern. According to the FTC's Consumer Sentinel Network, over 1.4 million identity theft reports were filed in 2024 in the United States alone — and that's only the fraction reported. The FTC estimates that for every report filed, several incidents go unreported because victims don't know they've been compromised until much later.

Globally, Javelin Strategy & Research estimates that identity fraud losses in the US exceeded $23 billion in 2023. The average victim spends over 200 hours resolving identity theft — roughly five full work weeks — even when the financial loss is relatively small.

Understanding the statistics isn't just academic. The patterns in the data reveal where the actual risk lies, and more importantly, which defenses are most effective.

How Identities Get Stolen: The Real Numbers

The public often imagines identity theft as the result of sophisticated hacking — a lone attacker breaking encryption or cracking passwords. The actual data tells a different story:

• Data breaches (35%) — The largest single source. When a company you've done business with is breached, your credentials or personal data may appear in breach databases sold on dark web marketplaces, sometimes within hours of the breach.
• Phishing and social engineering (25%) — Victims are tricked into giving up their own credentials. This includes email phishing, smishing (SMS), and phone-based vishing scams.
• Account takeover via credential stuffing (18%) — Attackers use credentials from one breach to access accounts on other services, exploiting password reuse. If you use the same password across multiple sites, this is your primary risk vector.
• Physical theft and mail theft (12%) — Stolen wallets, mail, and discarded documents remain surprisingly common sources of identity theft, particularly targeting older adults.
• Insider threats and other methods (10%) — Compromised employees at financial institutions, healthcare providers, and retailers.

The upshot: for most people, the top threats are data breaches and credential reuse — both of which are addressed by a single behavioral change: using unique passwords for every account. See our guide on responding to a data breach if your data has already been exposed.

Who Is Most at Risk?

Identity theft affects all demographics, but the FTC's data shows important patterns:

Age 30–49 files the most identity theft reports in absolute numbers, likely because this group has the most financial accounts, credit history, and online presence.

Adults 60+ face disproportionate losses per incident — the FTC found that older adults lose significantly more per identity theft event, partly because they're more often targeted by phone-based scams and less likely to monitor accounts for suspicious activity.

Children are increasingly targeted because their clean credit history goes unmonitored for years. Child identity theft often goes undiscovered until the victim applies for credit as a young adult and finds accounts in their name dating back to childhood.

Military personnel and veterans are disproportionately represented in identity theft reports, partly because frequent moves and deployments make it harder to monitor accounts consistently.

The Most Common Types of Identity Fraud

Not all identity theft leads to the same outcome. The FTC's 2024 data breaks down the most common fraud categories:

• Government benefits fraud (24%) — Fraudulent tax returns (claiming someone else's refund), unemployment claims, and Social Security benefit theft. COVID-era fraud programs created a wave of government benefits fraud that has largely receded but remains elevated.
• Credit card fraud (18%) — Opening new credit cards in the victim's name, or using compromised card numbers for fraudulent purchases.
• Loan and lease fraud (15%) — Fraudulent applications for personal loans, auto loans, and apartment leases.
• Bank account fraud (12%) — Unauthorized access to existing bank accounts, or opening new accounts in the victim's name to receive or launder stolen funds.
• Utilities fraud (8%) — Opening utilities accounts (electricity, cable, phone) in the victim's name to avoid paying deposits.

Dark Web Markets: Where Stolen Data Goes

After a data breach, stolen credentials don't sit unused. They're typically sold in batches on dark web marketplaces within days of the breach. Prices vary dramatically by data type:

• Email/password combinations: $0.50–$5 per record (in bulk)
• Full identity packages ("fullz" — name, SSN, DOB, address): $15–$40
• Healthcare records: $100–$1,000 (high value due to insurance fraud potential)
• Financial account with verified balance: $25–$250+ depending on balance

Dark web monitoring services track these marketplaces and alert you when your information appears. Services like NordProtect scan breach databases and dark web forums continuously, alerting you before attackers have had time to exploit your data. See our guide to dark web monitoring for how these services work and what to do when you get an alert.

Financial and Time Costs to Victims

The financial damage from identity theft varies widely by type:

• Credit card fraud: Average loss of $500–$1,200. Most major card networks provide $0 fraud liability for disputed charges, but recouping losses requires time and follow-up.
• New account fraud: Average loss of $1,600–$3,000. More damaging because it damages credit history in addition to direct financial loss.
• Tax identity theft: Direct financial loss varies, but IRS resolution takes an average of 6–9 months and requires extensive documentation.
• Medical identity theft: Among the most damaging — fraudulent medical claims can result in incorrect entries in your medical records and insurance coverage issues that take years to untangle.

Beyond direct financial losses, 23% of identity theft victims report significant emotional distress, and 17% report that the incident affected their employment or housing prospects due to credit damage.

What the Data Says Actually Works

Several interventions have strong evidence behind them:

Unique passwords for every account eliminates credential stuffing attacks entirely. If a breach exposes your password from one service, it can't be used to access your other accounts. A password manager like NordPass or 1Password makes this effortless — use our free password generator to create strong, unique passwords and save them securely.

Credit freezes are the most underused protection against new account fraud. A freeze prevents anyone — including you — from opening new credit accounts in your name without a PIN. Freezing at all three bureaus (Equifax, Experian, TransUnion) is free, takes about 15 minutes online, and can be temporarily lifted when you need to apply for credit. Our guide to freezing your credit walks through the process step by step.

Two-factor authentication significantly reduces account takeover risk. Even if an attacker has your password, phishing-resistant 2FA (hardware keys or passkeys) prevents login. See our 2FA guide for setup instructions.

Dark web monitoring with rapid response — changing passwords and freezing credit immediately after an alert — limits the window attackers have to exploit stolen data.

Recommended Tools for Identity Protection

• NordProtect — Dark web monitoring, credit monitoring, and identity theft insurance. Alerts you when your data appears in breach databases so you can act before damage occurs.
• NordPass — Password manager that eliminates credential reuse — the #1 enabler of account takeover fraud. Generate and store unique passwords for every account.

For a full list of identity protection and security tools, visit our recommended tools page.