Identity Theft Glossary: Key Terms and Definitions

The terminology surrounding identity theft spans federal statute, consumer protection regulation, credit reporting law, and criminal prosecution frameworks. Precise definitions govern how victims qualify for legal remedies, how disputes are processed by credit bureaus, and how law enforcement classifies offenses. This glossary consolidates the core vocabulary used by agencies including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Internal Revenue Service (IRS) — organized for practitioners, researchers, and affected consumers navigating the identity theft service sector.

Definition and scope

Identity theft, as defined under 18 U.S.C. § 1028 (U.S. Code, Title 18), is the knowing transfer, possession, or use of a means of identification belonging to another person without lawful authority, with intent to commit or aid an unlawful activity. The FTC's formal definition, used across consumer-facing enforcement, describes it as fraud committed using another individual's personal information (FTC Consumer Information).

Means of identification encompasses a broad range of data elements under federal law, including:

1. Name, Social Security number (SSN), or date of birth
2. Government-issued identification numbers (driver's license, passport number)
3. Financial account numbers, credit or debit card numbers
4. Biometric data (fingerprints, retina scans, voice prints)
5. Electronic identification numbers, including IP addresses and device serial numbers

The scope of coverage under the identity-theft-laws-federal framework extends to synthetic constructs — fabricated identities combining real and fictitious data — not just theft of an existing person's complete profile. The identity-theft-types-and-categories taxonomy further subdivides offenses by sector of exploitation.

How it works

The glossary terms below are organized by functional category. Each entry reflects usage as applied in regulatory documents, legal proceedings, and consumer reporting contexts.

Core identity terms

Personal Identifiable Information (PII): Any data that can be used to distinguish or trace an individual's identity, alone or in combination with other information. NIST SP 800-122 (NIST SP 800-122) defines PII as information that can be used to distinguish or trace an individual's identity.

Account Takeover (ATO): The unauthorized acquisition of an existing financial or service account through credential theft, social engineering, or data breach exploitation. ATO differs from new-account fraud in that no new credit line is opened — the fraudster operates within an existing account relationship. See account-takeover-fraud for the full operational breakdown.

Synthetic Identity Fraud: A hybrid fraud type in which a fraudster combines a real SSN (often belonging to a child, deceased individual, or thin-file consumer) with fictitious biographical data to create a new identity construct. The CFPB identifies synthetic identity fraud as among the fastest-growing financial crime categories in the United States. See synthetic-identity-theft.

Credential Stuffing: The automated injection of stolen username/password pairs — typically sourced from a data breach — across multiple login portals, exploiting password reuse.

Skimming: The physical or electronic capture of payment card data using a device installed on ATMs, point-of-sale terminals, or fuel pumps. The FBI classifies skimming as a form of financial identity theft that costs U.S. financial institutions and consumers over $1 billion annually (FBI Financial Crimes).

Credit and reporting terms

Credit Freeze (Security Freeze): A restriction placed on a consumer's credit file, authorized under the Fair Credit Reporting Act (FCRA) at 15 U.S.C. § 1681c-1, preventing new credit inquiries without prior consumer authorization. All three major credit bureaus — Equifax, Experian, and TransUnion — are required to implement a freeze without charge. See credit-freeze-and-fraud-alert-guide.

Fraud Alert: A notice placed on a credit file instructing creditors to verify identity before extending credit. An initial fraud alert lasts 1 year; an extended fraud alert, available to confirmed identity theft victims, lasts 7 years under the FCRA (15 U.S.C. § 1681c-1).

Identity Theft Report: An FTC-issued document generated through IdentityTheft.gov that serves as an official complaint and affidavit substitute recognized by credit bureaus and creditors. See ftc-identity-theft-report-guide for the procedural structure.

Dispute: The formal process by which a consumer challenges inaccurate information in a credit report under FCRA § 611. Credit bureaus must complete investigations within 30 days under standard procedures, or 45 days when the consumer submits additional documentation. See credit-bureau-dispute-process.

Tax and government terms

IP PIN (Identity Protection Personal Identification Number): A 6-digit IRS-issued code that prevents others from filing a federal tax return using a taxpayer's SSN. The IRS expanded the IP PIN opt-in program to all U.S. taxpayers in 2021 (IRS IP PIN Program). See irs-identity-protection-pin-guide.

Medical Identity Theft: The use of another person's identity to obtain medical services, prescriptions, or insurance reimbursement. The HHS Office for Civil Rights treats medical identity theft as a HIPAA-adjacent issue when protected health information (PHI) is involved (HHS OCR). See medical-identity-theft.

Common scenarios

Identity theft vocabulary surfaces in distinct operational contexts across the service sector:

• Tax fraud context: Terms such as "SSN misuse," "Form 14039 Identity Theft Affidavit," and "IP PIN" appear in IRS enforcement and victim remediation procedures.
• Credit remediation context: "Furnisher," "consumer reporting agency (CRA)," "tradeline," and "reinvestigation" are statutory terms under the FCRA used in bureau dispute procedures.
• Criminal prosecution context: "Aggravated identity theft" under 18 U.S.C. § 1028A carries a mandatory 2-year consecutive sentence on top of any underlying felony, as opposed to the base offense under § 1028.
• Data breach context: "Breach notification," "covered entity," and "personally identifiable financial information (PIFI)" appear in both state breach notification laws and the Gramm-Leach-Bliley Act (GLBA) framework.

Decision boundaries

The practical utility of this terminology depends on distinguishing closely related terms that carry different legal consequences:

Identity theft vs. identity fraud: Federal statute formally defines identity theft as the unauthorized use of identifying information; identity fraud encompasses the broader category of deception-based financial crimes, which may not require assuming another's identity. Courts and agencies apply these distinctions when determining applicable penalties under identity-theft-penalties-and-prosecution.

Fraud alert vs. credit freeze: A fraud alert instructs creditors to take additional verification steps but does not block access to the credit file. A credit freeze blocks all access to the file by new creditors. The two are not equivalent protections under the FCRA.

Data breach vs. identity theft: A data breach is an unauthorized access or disclosure event. Identity theft occurs when the compromised data is actively used to commit fraud. Not all breaches result in identity theft; not all identity theft originates from a reportable breach.

Medical identity theft vs. insurance fraud: Medical identity theft specifically involves misuse of a victim's identity or insurance credentials. Insurance fraud is a broader category that includes provider billing fraud, which may not involve any individual victim's stolen identity.

The consumer-rights-under-fcra framework governs how these distinctions affect remediation rights and what procedural pathways apply once a specific offense type is established.

References

• FTC Identity Theft Consumer Information — Federal Trade Commission
• 18 U.S.C. § 1028 — Identity Fraud Statute — U.S. House Office of the Law Revision Counsel
• 18 U.S.C. § 1028A — Aggravated Identity Theft — U.S. House Office of the Law Revision Counsel
• NIST SP 800-122: Guide to Protecting PII — National Institute of Standards and Technology
• 15 U.S.C. § 1681c-1 — FCRA Fraud Alerts and Credit Freezes — U.S.