Identity Theft Criminal Penalties and Federal Prosecution Overview

Federal prosecution of identity theft operates under a layered statutory framework that assigns criminal penalties based on offense type, dollar amounts involved, victim category, and whether the theft enabled a separate felony. The statutes governing these offenses span Title 18 of the United States Code, with enforcement concentrated in the Department of Justice and the Federal Trade Commission. Understanding the penalty structure matters because the difference between a misdemeanor charge and a mandatory-minimum felony conviction can turn on a single aggravating factor.

Definition and scope

Identity theft, as prosecuted under federal law, refers to the knowing transfer, possession, or use of another person's means of identification without lawful authority, in connection with a predicate unlawful activity (18 U.S.C. § 1028). The statute covers documents, authentication features, and electronic means of identification.

Congress extended this framework in 2004 with the Identity Theft Penalty Enhancement Act (Pub. L. 108-275), which created a distinct offense — aggravated identity theft — codified at 18 U.S.C. § 1028A. That provision imposes a mandatory 2-year consecutive sentence for identity theft committed in connection with specific felonies, and a mandatory 5-year consecutive sentence when the underlying crime involves terrorism. The sentences are consecutive, meaning they cannot run concurrently with the sentence for the predicate offense.

The Federal Trade Commission maintains the national clearinghouse for identity theft reports under the FTC Act, while DOJ prosecutorial authority is exercised through United States Attorneys' offices. The scope of federal jurisdiction typically attaches when the offense involves interstate commerce, federal benefits programs, or financial institutions regulated at the federal level. For a broader map of the service sector operating in this space, see the Identity Theft Providers page.

How it works

Federal identity theft prosecution follows a structured progression from investigation to sentencing:

  1. Detection and referral — Reports originate from financial institutions, the FTC's IdentityTheft.gov platform, the Social Security Administration's Office of Inspector General, or direct victim complaints.
  2. Investigation — The FBI, Secret Service, or Postal Inspection Service conduct investigations depending on the underlying scheme. The Secret Service has jurisdiction over financial crimes under 18 U.S.C. § 3056.
  3. Charging decision — Federal prosecutors evaluate which statutes to charge. A basic § 1028 violation carries up to 5 years imprisonment per count for most offenses, up to 15 years if the offense involves a prior conviction, and up to 20 years if the offense facilitates drug trafficking or violence.
  4. Aggravated identity theft assessment — If the underlying predicate meets the § 1028A threshold (which covers 68 enumerated predicate felonies), the mandatory 2-year add-on applies with no judicial discretion for downward departure.
  5. Sentencing — Federal courts apply the U.S. Sentencing Guidelines (U.S.S.G. § 2B1.1) to calculate base offense levels, with upward enhancements tied to loss amount, number of victims, and use of sophisticated means.

Financial penalties under § 1028 can reach $250,000 per count under 18 U.S.C. § 3571 for individuals, with restitution to victims mandatory under the Mandatory Victims Restitution Act (18 U.S.C. § 3663A).

Common scenarios

Federal charges cluster around four recurring offense patterns, each with distinct charging profiles:

Tax refund fraud — Perpetrators file false returns using stolen Social Security numbers. The IRS Criminal Investigation division (IRS-CI) leads investigations; charges typically include § 1028A alongside wire fraud (18 U.S.C. § 1343) and filing false claims (18 U.S.C. § 287).

Benefits fraud — Use of another individual's identity to obtain Social Security, Medicare, or Medicaid benefits. The Social Security Administration OIG and HHS OIG hold primary investigative jurisdiction. The statutory maximum for Social Security fraud under 42 U.S.C. § 408 is 5 years, stacked with § 1028A where applicable.

Account takeover and synthetic identity fraud — Involves use of real or fabricated identity elements to open financial accounts. The Consumer Financial Protection Bureau tracks complaint volume, and prosecutions frequently involve bank fraud under 18 U.S.C. § 1344, carrying up to 30 years per count.

Data breach-enabled mass identity theft — Organized actors exploit breached credential datasets. The Computer Fraud and Abuse Act (18 U.S.C. § 1030) applies to the breach itself; identity theft statutes govern downstream misuse. These cases routinely involve RICO charges (18 U.S.C. § 1962) for organized rings. The Identity Theft Provider Network Purpose and Scope page outlines the professional categories involved in responding to these events.

Decision boundaries

The distinction between state and federal prosecution jurisdiction depends on several determinative factors. Federal prosecution is standard when the offense crosses state lines, involves a federally chartered institution, targets federal programs, or meets the monetary thresholds that trigger U.S. Sentencing Guideline enhancements. State charges predominate when the theft is local in character and involves no federal nexus.

The contrast between § 1028 and § 1028A is the most operationally significant classification boundary: § 1028 charges allow judicial sentencing discretion, while § 1028A strips that discretion entirely through its mandatory consecutive structure. No plea bargain can eliminate the consecutive requirement once § 1028A is charged and sustained.

Victim category also shifts the penalty ceiling. Identity theft targeting individuals over 55, members of the military, or victims of a prior identity theft may trigger sentencing enhancements under the U.S. Sentencing Guidelines. Financial institutions and government agencies as victims can independently elevate the offense level under U.S.S.G. § 2B1.1(b).

For guidance on how this reference network structures professional service categories across the identity theft response sector, see How to Use This Identity Theft Resource.

 ·   · 

References

Read Next

Federal Identity Theft Laws: ITADA, FACTA, and Related Statutes ANA › Professional Services Authority › National Cyber › National Identity Theft Federal Identity Theft Laws: ITADA, FACTA, and Related... State Identity Theft Laws: Variation Across US Jurisdictions ANA › Professional Services Authority › National Cyber › National Identity Theft State Identity Theft Laws: Variation Across US... Consumer Rights Under the FCRA in Identity Theft Cases ANA › Professional Services Authority › National Cyber › National Identity Theft Consumer Rights Under the FCRA in Identity Theft Cases...