How to detect an identity thief

Learn how identity thieves gather personal information and help protect your clients from becoming victims.

Key Points

  • Identity theft remains a common type of fraud in the United States. 

  • Social engineering can be just as effective as high-tech methods for stealing sensitive client information or money. 

  • You can help protect your clients by staying aware and taking extra precautions to verify their identities.


Identity theft may be one of the oldest techniques in the fraud book but it remains prevalent—especially in a world where much more information is shared than in the past. In 2020, the Federal Trade Commission received more than 1.4 million reports of identity theft, more than double the figure from 2019.1

Contrary to what some may believe, not all fraudsters are geniuses who can outsmart advanced technology. Some simply know how to take advantage of people's natural inclination to trust others. Meanwhile, these criminals are getting more sophisticated in their attacks by using stealthier, more complex schemes, such as social engineering.

What is identity theft and how does it happen?

Identity theft occurs when one person uses another person's identifying information to assume their identity for the purpose of committing fraud or other crimes.

This type of fraud can be executed in person, verbally, or electronically and can be familial (attempted by a family member) or external (attempted by an unknown party).

While electronic channels are the most common paths for identity theft, fraudsters can use several different methods to steal a victim's credentials. Identity theft generally falls into one of two categories:

1. Low-tech methods: These may include posing as a trusted person for the purpose of financial gain or to access information. For example, the identity thief may contact a call center or call you directly, posing as the client. Other low-tech approaches include taking physical possession of devices, ATM cards, financial statements, and other materials that contain the client's information.
2. High-tech methods: Once identity thieves have the information they need, they may log in to a client's account to gain additional data, intercept verification codes, redirect devices, initiate withdrawals, change account details, and more.

Identity theft is a broad topic, so these examples are not all-inclusive and may overlap with other methods that also result in a loss of client information.

Social engineering techniques

Social engineering is the use of deception to manipulate others into divulging personal information or transacting on a client account. Typically, an unauthorized individual assumes the identity of a client or tricks another person into believing they are a trustworthy source.

Criminals often leverage stolen client information gathered from other companies' breaches, purchased from the dark web, or gleaned from social media to pose as clients. Then, they use these details—in combination with other tactics—to appear more legitimate. For example, they may spoof the client’s phone number or use a voice changer to sound like the client. These imposters are often calling to update account information, such as an email address, a password, or a phone number, or to initiate or approve money movements.

Social engineering is swiftly becoming a universal threat—one that can have big impacts. It's a clever, often misunderstood, and overlooked form of identity theft. While it still requires a certain amount of finesse and skill, it doesn’t require the technical expertise necessary to hack into a major bank's computer network and reroute funds.

Social engineering may occur via phone, email, or social media. Often, the scammer will use charm, friendliness, wit, or urgency to build a sense of trust with the victim. This is intended to convince the victim to release unauthorized information or perform actions that benefit the scammer, such as sending money. It's also very common for the scammer to visit social media sites to obtain identifying information to bolster their credibility.

8 tips to prevent identity theft

Knowledge and awareness can help you protect your firm and clients against these cybercrimes. Here are some best practices.

  1. Safeguard your firm's information and your clients' personal data.
  2. Limit whom you trust with your and your clients' personal information.
  3. Use caution when sharing information and personal details on social media.
  4. Consider how you interact with clients via email or phone, and be selective about disclosing details.
  5. Be aware of your surroundings when talking on the phone. Do not hold conversations regarding your role or client interactions in public places.
  6. Look for transactions that are outside of your clients' normal patterns of behavior.
  7. Employ strict authentication protocols that you follow for every transaction—no exceptions. For example, you may choose to video conference with your clients or require a verbal password or security questions for accounts.
  8. Educate and train your staff to ensure they are talking to your true client.

7 red flags to identify imposters

Several things will help you identify a possible imposter:

  1. Atypical background noises (e.g., a crying baby or loud traffic) to distract the representative and expedite the call.
  2. Age and gender appropriateness of the voice: If the client is 85, does the caller's voice match that age?
  3. Frequent pauses when asked a simple verification question.
  4. A robotic-sounding voice, which indicates the caller is using a voice modulator to disguise their real voice.
  5. Asking you to repeat simple questions (e.g., "Did you ask me for my mother’s maiden name?").
  6. The sound of paper being shuffled in the background.
  7. A call from a number that is not on record.

What you can do next