Finally, a bit of good news to report about identity theft: The number of victims and the amount stolen remained relatively stable last year, according to the 2016 Identity Fraud Study from Javelin Strategy & Research released on Tuesday. The key findings:
- About 13.1 million Americans became identity fraud victims in 2015. That's up three percent from 2014 and the second highest number in the past six years.
- The amount stolen last year decreased by six percent to $15 billion, the smallest amount in six years.
"We've all become hyper-aware of the threats around fraud, so we're on the ball and detecting problems faster than we have before," said Al Pascual, director of fraud & security at Javelin. "We've taken our heads out of the sand, but fraud still persists."
ID fraud remains a very lucrative crime. Add up all the losses for the past six years and ID thieves have stolen $112 billion. That equals $36,500 stolen per minute, or enough to pay for four years of college in just four minutes, the report noted.
The crooks are evolving fast
As America switches to counterfeit-resistant chip-enabled credit cards (commonly referred to as EMV cards), identity thieves are changing their behavior.
Stolen credit card numbers are less frequently used to make a counterfeit card for shopping at the store (down from 50 to 46 percent in the last year) and more often used to shop online (up from 37 to 42).
Crooks are also moving from existing card fraud to new account fraud. Rather than compromise an existing account, they're using stolen Social Security numbers to apply for new cards.
Javelin found that new account fraud more than doubled (up 113 percent) from 2014 to 2015. It now accounts for 20 percent of all fraud losses. The report calls new account fraud "the most expensive and highest-impact" type of fraud.
"I think this is the new normal," Pascual told NBC News. "We're going to finding new ways to manage the risk and they're going to find ways around it. When it comes to identity fraud, it continues to be a cat-and-mouse game."
Randy Vanderhoof, director of the EMV Migration Forum, told NBC News that financial institutions are well aware of the fraudster's playbook — having seen what happened in other countries that have switched to chip cards — and are taking proactive steps to curtail this type of activity.
"Short term spikes in new fraud channels can be expected until countermeasures are enacted," Vanderhoof said. "The reality is that each step in this progression becomes increasingly difficult and more costly to criminals to generate the same illegal profits, resulting in overall fraud losses being stable or declining over time."
Stolen U.S. data used around the world
Identity theft is a global problem. The Javelin study found that 18 percent of the fraud using stolen U.S. credit card numbers — or $2.4 billion — was committed outside the country. The average loss per incident was $1,585. That's about 62 percent higher than all card fraud.
In many cases, this international fraud involves using the stolen credit card number to make a counterfeit card with a magnetic strip — that looks like it was issued in America — that can be used at the point-of-sale. The result is slower detection by U.S. credit card companies and a significantly higher fraud loss.
Right now, credit card companies are detecting international card fraud about 69 percent of the time, Javelin estimates.
"I think there's a really significant opportunity to do better here," Pascual told NBC News. "Criminals are finding great success in using card numbers outside the states. Those kinds of cases are taking longer to detect than fraud inside the U.S. Card issuers are getting better at it, but they have a ways to go."
The report notes that clever international thieves trick the card companies by placing a travel alert on the card. For instance, if they're going to make purchases in Italy, they tell the credit card company the person associated with that stolen card number is travelling to Italy. This makes it harder for the card company's security software to flag the transaction as suspicious.
There are things you can do to reduce your risk of becoming a victim or to spot a problem sooner, if something does happen. Javelin suggests:
- Secure your mobile device: Apply software updates that patch known vulnerabilities as soon as they become available. Take advantage of the security capabilities built into Android and iOS devices, such as protecting the device with a passcode or biometric (such as a fingerprint) and the ability to encrypt and remotely wipe the contents of the device if it's stolen.
- Exercise good password habits: Strong, unique, regularly updated passwords have less value to the fraudster if they are stolen in a data breach or through malware. Password managers can provide a convenient way to manage these more complex and unique passwords.
- Sign up for account alerts: These notifications can often be received through email or text message. They let you see what's happening to your account in real time, so you can spot suspicious activity. Many financial institutions offer alerts for international transactions. With fraud shifting overseas, this is an important alert to choose.
- Take data breach notifications seriously: One in five data breach victims suffered fraud in 2015, up from one in seven in 2014. Data breaches at retailers, government agencies and healthcare providers grew dramatically last year. As a result, 64 percent more Social Security numbers were exposed this year.
- Get help as soon as fraud is detected: The more immediate a financial institution, credit card issuer, wireless carrier or other service provider are notified that fraud has occurred on an account, the sooner these organizations can act to limit the damage. In some cases, early notification can also help limit the liability of a victim.