Identity Theft Types and Categories: A Complete Reference

Identity theft encompasses a broad spectrum of fraudulent schemes in which a perpetrator obtains and misuses another person's personal identifying information without authorization. The Federal Trade Commission (FTC) classifies identity theft across more than a dozen distinct categories, each defined by the credential type exploited and the harm produced. Accurate classification matters because recovery pathways, reporting requirements, and legal remedies differ substantially by type. This reference maps the recognized taxonomy used by federal agencies, consumer reporting bodies, and law enforcement.

Definition and scope

Identity theft is defined under federal law at 18 U.S.C. § 1028 as the knowing transfer, possession, or use of a means of identification of another person with intent to commit unlawful activity. The statute covers a wide range of identifying instruments — Social Security numbers, financial account credentials, biometric data, and government-issued document numbers. Aggravated identity theft under 18 U.S.C. § 1028A carries a mandatory 2-year consecutive sentence on top of the underlying offense.

The FTC's Consumer Sentinel Network, which logs identity theft complaints from across the United States, recorded over 1.4 million identity theft reports in 2023 (FTC Consumer Sentinel Network Data Book 2023). That volume underscores the scale of the problem and the diversity of methods through which personal data is exploited. The identity-theft-statistics-us reference page aggregates current complaint volumes by category and state.

The scope of identity theft spans five primary credential domains:

1. Financial credentials — bank account numbers, credit card data, payment card PINs
2. Government-issued identifiers — Social Security numbers, driver's license numbers, passport numbers
3. Medical identifiers — insurance member IDs, Medicare/Medicaid numbers, provider credentials
4. Tax identifiers — Employer Identification Numbers, filing PINs, W-2 data
5. Synthetic combinations — fabricated profiles blending real and fictitious data elements

How it works

Identity theft operates through three sequential phases regardless of the specific variant:

1. Acquisition — The perpetrator obtains identifying information through data breaches, phishing, mail theft, social engineering, skimming devices, or dark web purchases. The data-breach-and-identity-theft and phishing-and-identity-theft pages detail these acquisition vectors separately.

2. Exploitation — The perpetrator applies the stolen data to open new accounts, file fraudulent tax returns, claim government benefits, obtain medical services, or impersonate the victim in criminal proceedings.

3. Concealment — Fraudulent activity is routed through layered accounts, synthetic identity profiles, or jurisdictions with weaker verification requirements to delay detection. Synthetic identity fraud, in which a real Social Security number is paired with a fictitious name, is particularly difficult to detect because no single real person receives account statements.

The Federal Bureau of Investigation (FBI) and the FTC both document that the average time between credential theft and victim discovery can exceed 12 months for account-level fraud, and longer for medical or benefit fraud.

Common scenarios

The recognized categories of identity theft, as tracked by the FTC and defined in federal statute, include:

• Financial identity theft — The most reported type. Perpetrators open credit accounts, drain deposit accounts, or obtain loans using stolen financial credentials.
• Tax identity theft — A fraudulent return is filed using the victim's Social Security number to claim a refund before the legitimate taxpayer files. The IRS Identity Protection PIN program (IRS IP PIN) is the primary mitigation tool.
• Medical identity theft — Insurance credentials are used to obtain services, prescriptions, or durable medical equipment. The Department of Health and Human Services (HHS Office for Civil Rights) addresses the intersection with HIPAA violations.
• Social Security identity theft — A Social Security number is used to establish credit, gain employment authorization, or access government benefits under a false identity.
• Child identity theft — Minor children's Social Security numbers, which typically carry no credit history, are exploited to open accounts that go undetected for years.
• Senior identity theft — Older adults are targeted through Medicare fraud, charity scams, and caregiver exploitation.
• Criminal identity theft — A perpetrator presents stolen identity documents to law enforcement, resulting in criminal records, warrants, or court obligations attaching to the victim's identity.
• Account takeover fraud — Existing accounts are accessed and commandeered rather than new accounts opened in the victim's name.
• Employment identity theft — A stolen Social Security number is used to obtain work authorization, causing tax and benefit complications for the true owner.
• Government benefits identity theft — Unemployment insurance, Social Security benefits, or other public assistance is claimed fraudulently using stolen identifiers.
• Business identity theft — Corporate identity documents, EINs, or registered agent information are hijacked to obtain credit, file false tax returns, or redirect payments.

Decision boundaries

Determining which category applies to a given incident governs both the reporting pathway and the recovery process. The following distinctions are operationally significant:

New account fraud vs. account takeover fraud — New account fraud involves accounts the victim never opened; account takeover involves existing accounts the victim holds. Credit bureau disputes under FCRA apply to both, but fraud alerts and account-level notifications function differently across the two scenarios.

True-name fraud vs. synthetic identity fraud — True-name fraud uses a victim's actual name alongside their stolen credentials. Synthetic identity fraud (synthetic-identity-theft) uses a real Social Security number with a fabricated name; the victim may never receive collection notices because no account exists in their name.

Civil identity exposure vs. criminal identity theft — Civil exposure (fraudulent credit accounts) is addressed through the credit dispute process and FTC reporting at IdentityTheft.gov. Criminal identity theft, where a victim's identity is used during an arrest or prosecution, requires engagement with law enforcement and the courts, as detailed at identity-theft-police-report-guide.

Single-vector vs. compound identity theft — A perpetrator may exploit a single credential type in isolation or combine medical, financial, and tax fraud in a coordinated scheme. Compound cases typically require simultaneous action across the IRS, credit bureaus, HHS, and potentially the Social Security Administration (SSA).

Incident classification should precede any recovery action. The identity-theft-reporting-steps page maps the correct agency contacts and documentation requirements for each category listed above.

References

• Federal Trade Commission — Consumer Sentinel Network Data Book 2023
• 18 U.S.C. § 1028 — Fraud and Related Activity in Connection with Identification Documents
• 18 U.S.C. § 1028A — Aggravated Identity Theft
• IRS Identity Protection PIN Program
• HHS Office for Civil Rights — HIPAA and Identity Theft
• Social Security Administration — Identity Theft and Your Social Security Number
• Federal Bureau of Investigation — Identity Theft Resources
• IdentityTheft.gov — Official Federal Government Identity Theft Recovery Portal