FTC: 27 million victims of ID theft

About 27.3 million U.S. residents have been victims of identity theft during the past five years, according to a survey released Wednesday by the Federal Trade Commission, but the agency is unsure how many of those crimes happened through technological means such as the Internet.

After conducting a phone survey, the FTC estimates that 9.9 million U.S. residents have been victims of identify theft during the past year, with businesses and financial institutions losing $48 billion during that period, and consumer victims reporting $5 billion in out-of-pocket expenses. The survey, of more than 4,000 adults in March and April, is the first comprehensive attempt by the U.S. government to get a handle on the number of victims and the cost of identity theft.

“It was considerably higher than I expected,” Howard Beales, director of the FTC’s Bureau of Consumer Protection, said of the survey’s results. “In planning this survey, we did the sample as large as we did because we thought we were going to have a hard time finding victims. Unfortunately, that’s not the case.”

The FTC’s numbers are higher than most previous estimates of identity theft. A Gartner survey released in July found 7 million victims of identity theft in the previous year, while the FTC received about 380,000 complaints about identity theft in 2002. An Internet survey by Privacy and American Business, released in July, found 33.4 million U.S. victims of identity theft since 1990.

Nearly half – 49% – of those who said they’d been a victim of identity theft during the past five years didn’t know how the thief obtained their information. Twenty-three percent said the thief gained their information through a theft of some kind, but that could range from a credit card statement stolen from a garbage can to a hacker stealing credit card numbers from an e-commerce site. Another 13% said the thief obtained the personal information through a transaction of some kind, which could include some Web transactions.

The FTC’s survey doesn’t break down the causes of the identity theft into more specific categories, but Beales noted his agency has been involved in several attempts to prevent identity theft online. In July, the FTC settled a civil action against a California 17-year-old who allegedly tricked Internet users into giving him their credit card numbers and other personal information on a bogus Web site meant to look like AOL’s billing center. In June, the FTC settled a case with clothing and accessory vendor Guess, which was accused of not taking appropriate measures to secure its Guess.com Web site.

Still, Beales didn’t pinpoint the Internet as the cause of most identity thefts. There’s nothing in the report to suggest that transactions on the Internet with trusted Web sites are dangerous, he said.

“We don’t know of any problems that have resulted from consumers who shared information with a secure Web site that uses [Secure Sockets Layer] encryption to transmit information,” he said. “We don’t know of any problems in that circumstance. There clearly are hazards on the Internet, because consumers can end up at a site that is not what they think it is.”

Consumers should be careful when they get e-mails asking them to click on a link to update their data at a Web site. In many cases, those e-mails are part of a scam sometimes called “phishing,” similar to the scheme employed by the California teen. If a consumer thinks he has a legitimate billing issue that needs to be fixed, he should go to a site directly instead of clicking on a link in an e-mail from an unknown sender, Beales recommended.

“Clicking on the link could take you anywhere in cyberspace, and then you don’t know what will happen,” Beales added.

In the report released Tuesday, the FTC defined identity theft as everything from someone trying to gain government benefits under another person’s name to someone opening a credit card account in another person’s name. About 4.6% of those surveyed said they’d been a victim of some kind of identity theft in the past year, with 3.1% of those surveyed saying the thieves had gotten access to existing credit cards or other accounts. Another 1.5% of the people surveyed said they’d fallen victim to someone trying to open new accounts in their name.

The average out-of-pocket expense per victim was $500, which could include attorney fees or swallowing the losses if the victim didn’t report the theft, Beales said. On average, the theft obtained $4,800 per victim.

When the thieves gained access to existing accounts, 67% of those accounts were credit cards. Another 19% were checking or savings accounts, 9% were telephone service, and 3% were Internet service.

This week, the Information Technology Association of America (ITAA) launched the Coalition on Online Identity Fraud to combat identity theft online. Greg Garcia, ITAA’s vice president for information policy, praised the FTC for the release of its report, and said his group would work with the U.S. Congress and the FTC on ways to combat identity theft.

“The fact that they’re getting their hands around the problem is the first step … in stamping this down,” Garcia said.