It turns out the boogeyman is actually hiding in the deep dark web, not your child’s closet.

Identity theft is often misconstrued as an issue that only adults deal with; however, it’s also something that affects children. According to Javelin Strategy and Research’s 2018 Child Identity Fraud Study, one million child identity theft cases were reported in the U.S. last year.

It is important to note that these are only reported cases, so the actual number of child identity theft victims is likely higher. According to the calls we receive from impacted individuals, many child identity theft cases go underreported because they may have been perpetrated by a custodial or non-custodial parent, a close relative or even family friend, and the victim might not feel comfortable pressing charges.

Criminals see children’s identities as a hot commodity because they’re typically unmonitored and clean. Since children don’t start to establish credit until they are an adult (age 18) and open their first credit card or take out a loan, parents don’t usually think to check their child’s credit history. Unfortunately, criminals see this as the perfect opportunity to use your child’s information to open up several accounts, which may go undetected for years.

After the child’s information is stolen, criminals often turn to the dark web to sell it for as low as one dollar. The Dark Web, which contains some areas that are not accessible by normal internet browsers or are gated, holds a variety of illicit activity. So if you’ve been a victim of a data breach or gave personal information to a scammer, your information might be living there, as well as your child’s information.

Even though your child isn’t opening up new lines of credit at the moment, they are still at risk of having their information exposed. One way this can happen is through a data breach.  You should be aware that accidental breaches do occur and you should be mindful of the consequences. For example, schools, doctor offices and daycares hold your child’s personal identifying information (PII) and could be potentially breached. It’s important to find out how your child’s information is collected, stored and disposed.

Often times, thieves will buy a child’s Social Security number (SSN) from the dark web and combine it with a fake date of birth, address and name to completely fabricate an identity. Considered synthetic identity fraud, this is an increasingly common method that criminals use to commit identity theft.  In order to protect your child from the dark web, it’s important to check if a credit report exists with your child’s SSN regularly, never carry their SSN and only provide their SSN when it’s required.

Checking for the existence of a credit report with each of the three credit bureaus is a leading way to identify child identity theft. There are other indicators including the following:

  • Your child receives offers for pre-approved credit cards.
  • You receive bills in your child’s name.
  • A collection notice arrives with your child’s name on it.
  • Your application for government benefits for your child is refused because benefits are already being paid out to someone using your child’s Social Security number.
  • You receive a letter from the IRS saying your child owes taxes. Be aware, however, that any phone call from someone claiming to be with the IRS is almost certainly fraudulent. The IRS communicates with taxpayers by U.S. mail only.

You can contact the Identity Theft Resource Center for free assistance at 888-400-5530 or through the live chat feature on their website:

Experian proudly provides financial support to the Identity Theft Resource Center.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

What is considered valuable in terms of personal information has continually shifted definition for decades. At the Identity Theft Resource Center, educating consumers about the value of personal information is one of our top priorities. We often find that many consumers are unaware that having your Social Security number (SSN) exposed in a data breach is far more dangerous than having credit card or debit card information exposed. In addition to your SSN, other personal information that is regularly overlooked are login credentials (i.e. usernames and passwords), which can lead to other information being stolen using a method referred to as “credential cracking.”  This form of hacking is very widespread and more insidious than most Americans realize.

The Open Web Application Security Project defines “credential cracking” as a method that cybercriminals use to “identify valid login credentials by trying different values for usernames and/or passwords.” This is important considering that, according to the 2017 Verizon Data Breach Incident Report, 80 percent of hacking related data breaches were carried out using either stolen passwords and/or weak or guessable passwords. This means that cybercriminals attempt to gain access to a consumer’s account using educated guesses. How does someone make an educated guess about another person’s passwords? There are a couple of ways that this is done and it’s a lot easier than one might think. For example, criminals can use software that runs every word in the dictionary through authentication in hopes that a consumer has used a simple word as their login credentials.  Another way that cybercriminals make educated guesses on login credentials is to use common passwords. Unfortunately, this is successful as consumers continue to use passwords such as “password” or “1234567”. Another way that hackers crack credentials, which is the most pertinent to the focus on the value of personal information, is the use of breached login credentials.

In 2017, there were nearly 179 million pieces of personal information stolen, lost or exposed in data breaches. The use of breached login credentials by hackers is pertinent to the value of personal information because it transforms our ideas of what information is the most dangerous to have stolen by hackers or lost in a data breach.  For example, consumers would most likely consider having their tax information lost or stolen in a breach far more dangerous than having their Yahoo or Gmail account credentials stolen. However, the use of “credential cracking” shows us that one can be just as dangerous as the other.

In order to understand why this can be so detrimental, consumers should first think about the login credentials, most commonly this is a username and password, they use on their online accounts. While the best practice is that consumers use different login credentials on each of their accounts, this often isn’t a reality. How many consumers use the same username and password for their Facebook account as they do for their online banking? Even those who may think they are being safe by using different passwords often only use one or two slight modifications, such as the addition of a punctuation mark or another number to their commonly used passwords. When this is the case, all that a cybercriminal has to do is get their hands on the login credentials for one account and they have the key to open many accounts, which may be far more dangerous than the initial account which was compromised. This is crucial for consumers to understand. It shows why each piece of personal information, even something as seemingly useless as the login credentials for an old Twitter account you no longer use can spell big trouble. This is why we stress that consumers need to protect all the components of their personal information because they all have value. Of course, don’t hand out your SSN as you would your email address. The best strategy is to continue to guard that information as incredibly sensitive as well as protecting other personal information.

Our reminder to you is that every single piece of personal information has value. While the login credentials to your social media accounts may not initially cause the damage that an exposed SSN or banking account information will, with a little work from criminals those social media login credentials can lead to exposing more forms of personal information. Each piece of personal information is like a puzzle piece or clue which can be put together to cause serious damage in the form of identity crime.  So, while the value of a SSN, or other sensitive personal information, is far more valuable in the eyes of identity thieves, an email password has value as well. Both can lead to having your identity stolen. Consumers must understand that each piece of personal information or data has value and protect it.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

It can happen to anyone, and can happen anywhere. You’re going about your business when you suddenly find a wallet on the ground. You look around to see if you can still spot the person who lost it, but they don’t seem to be nearby. You pick it up, open it carefully, and are shocked by what you see inside.

This scenario happens every single day, and some of the best, most responsible people can be either the wallet loser or the wallet finder. Unfortunately, picking up someone’s personal—and possibly even valuable—property can come with both risks and benefits.

Of course, the very first benefit is the opportunity to be a Good Samaritan, to be a bright spot in someone’s day. After all, they’ve just lost something very important, and the consequences for them can range from aggravating to downright terrible. Returning their property to them in the condition in which they lost it can really make you feel good.

At the same time, you could be opening yourself up to a few risks. What if the owner claims there was a lot of money in it, money that was long gone before you ever found it? What if the owner later accuses you—either innocently or maliciously—of identity theft or financial account takeover? Maybe this chance to help someone is just too big of a burden after all…

Your next steps in a situation like this can vary a little bit depending on where you located the wallet. If you’re in a store or business, your gym, a doctor’s office, or any other location that has a surveillance camera, you’re probably in the clear from accusations. Remain visible while picking it up, and turn it in at the front desk immediately. If you feel it’s necessary, you can wait while the attendant tries to locate the owner. The driver’s license, credit cards, and any retail rewards cards can help; just call the number on the credit cards or rewards cards and provide the name or account number. They should have a contact number for the owner, and can pass along the location of the wallet.

But what if you’re out in the open? A wallet can easily fall out of someone’s pocket, briefcase, or handbag, and there might not be security cameras to help you prove that you had every innocent intention. It’s best in this case to dial the local police department’s non-emergency number—please do not tie up the 911 dispatch system for something like this—and tell them that you are standing near a lost wallet. Ask for a patrol vehicle in the area to come and take over, and wait with the wallet if you can.

What should you do if someone comes up and claims to be the owner? Let it go. Whether they are the owner or not is not really in your wheelhouse. You are not responsible for someone who may or may not have criminal intentions, and getting into an argument over the property is not worth it in the end.

NOTE: It’s very tempting to post about the wallet on social media sites like Facebook in order to track down the owner, but that is not a good idea. You have no way of identifying the real owner, and you could risk compromising that person’s identity if you post a photo that includes part of the driver’s license, a credit card, a checking account number, or other details.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

There was a time when child identity theft was thought of as a family problem, and it’s true that many cases over the years have been perpetrated by a custodial or non-custodial parent, a close relative, or even a family friend. Once the individual gained access to the child’s sensitive documents, they could open numerous lines of credit with the child’s “untarnished” credit record. In many cases, the identity thief may have been trying to get out of a dire financial situation, and fully intended to pay off any debt incurred in the child’s name; at the same time, some unscrupulous thieves didn’t care what consequences waited for the child down the road.

Too often, the children didn’t even know they’d been victimized until they reached adulthood and tried to use their legitimate credit.

In more recent years, though, hackers and identity thieves have begun targeting kids in order to take advantage of clean credit that no one will be monitoring for years to come. Schools, doctor’s offices, daycare centers, even school lunch computers have suffered data breaches intent on nabbing kids’ personal identifiable information.

According to Javelin Strategy and Research’s 2018 Child Identity Fraud Study, there were more than one million reported cases of child identity theft in the US last year, with the majority of those cases victimizing children under the age of eight. Another 20 percent of the victims were between the ages of eight and twelve.

Unfortunately, those are just the cases that were reported, which means the actual number of victims may be much higher.

But this new avenue of data breaches leading to identity theft doesn’t mean that parents can let their guards down about friends or relatives. The same Javelin study found that in 60 percent of the cases last year, the child knew their identity thief; that’s very different from the data point that says only 7 percent of adult victims know their identity thief.

One of the increasingly common methods of using children’s stolen credentials is to grab a Social Security number and combine it with a fake name, address, phone number, and more. Known as “synthetic identity theft,” the thief isn’t using the child’s complete identity, but rather has created a whole new person with this information. That makes it a little harder for victims and law enforcement to notice the problem in the first place or take action after the fact.

Concerned parents or guardians have a few steps they can take, though. If the child in question is over 14, they can request a credit report in the same way that any consumer does. Visiting will provide the minor in question with a free credit report, and allow them to look it over for signs of suspicious activity. If the child is under the age of 14, the steps are a little harder. The adult must prove they have a right to access and see the information, but it’s a worthwhile step if there’s reason to believe a child’s identity may have been compromised.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The Identity Theft Resource Center (ITRC) and other advocacy groups have tracked data breaches, identity theft, scams and fraud for years. However, it is difficult to identify the geographic patterns to these crimes.

The Federal Bureau of Investigation (FBI) has released its annual cybercrimes report, which outlines which states saw the largest number of compromised records and the largest financial losses. The report provides statistics on what states are hit the hardest by these crimes. It also breaks down how much financial damage is caused and what mechanism for the crime was used. Interestingly, some of the states with the highest numbers of cybercrime have also been on the top identity theft state lists for several years. California, Florida, Texas, New York and Pennsylvania (in that order) had the highest numbers of cybercrime reports last year. The most financial damage from these attacks occurred in California, Texas, Florida, New York, and Arizona, again, in that order. As for how these cybercrimes manifested, Business Email Compromise (BEC) and ransomware were highly common forms, as were tech support fraud and extortion.

California, Florida, Texas, New York and Pennsylvania (in that order) had the highest numbers of cybercrime reports last year. The most financial damage from these attacks occurred in California, Texas, Florida, New York, and Arizona, again, in that order. As for how these cybercrimes manifested, Business Email Compromise (BEC) and ransomware were highly common forms, as were tech support fraud and extortion.

With such alarming numbers of occurrences around the country, what are individual consumers and businesses supposed to do? The very first answer is to simply understand that the threat even exists. Read up on the findings of the FBI, the ITRC’s annual Aftermath report, the Federal Trade Commission’s data on fraud reports. Once you understand the ways—and the likelihood—that cybercrime can strike, you’ll be better prepared to take as much preventive action as you can.

That action all starts with recognizing a possible cyber attack and refusing to play along. BECs and ransomware are easily ignored if you understand the dynamics that hackers use to trap you, for example. These tactics rely on the person receiving the communication not realizing the danger, so it’s important to set solid policies in place (for yourself and your workplace) about how to recognize, respond, and even recover from a cyber attack.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In a “skim the surface” nutshell, the General Data Protection Regulation – or GDPR –will hold businesses even more accountable if they let consumers’ data fall into the wrong hands.

New regulations are set to take place in Europe this week, ones that are intended to provide better security and privacy for EU consumers. So what does the GDPR have to do with you as a U.S. consumer? And more importantly, why are all these companies emailing you about it all of a sudden?

The GDPR is giving a lot more protection to consumers. For example, the EU is invoking a broader “right to be forgotten” measure that is currently in place, one that lets you request—at least in Europe—that inflammatory or unfounded articles about you be removed from search engines. EU residents also have the peace of mind of knowing that a company now has 72 hours to report a data breach; even though you reside in the U.S., the company now has to report it almost immediately in Europe if it happens. There are several other new changes included in the GDPR, which you can read about here.

First, even though you may be in the U.S. if a company anywhere in the world gathers and/or stores EU consumer data, they have to comply with the new GDPR. As a result, some U.S. companies have updated their privacy policies and they’re simply informing their users and customers. That means companies like Facebook, Amazon, Walmart and many more are making some changes and spreading the word.

On a very positive note, some companies are using this new mandatory compliance to tighten up their security even in places where it’s not yet required by law. After all, if you’re changing your company’s business practices for millions of users in Europe, why not make all of your users’ information safer?

It’s important to note that these emails you may have received are simply informing you of the shift in privacy practices that will take effect this week. There’s nothing specific for you to do unless you’ve been given instructions, such as setting up two-factor authentication or changing your password. Also, this flood of emails can help you in another way: you may have forgotten you signed up for company emails. If that’s the case, now is a good time to delete your account if you don’t use it or change your old password if you wish to continue having an account. That way, you may be able to avoid having your information compromised if one of those companies is ever the victim of a data breach.

For toll-free, no-cost assistance, contact the Identity Theft Resource Center at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

A single typo can come back to haunt you online, as scammers purchase like-sounding domain names in order to trap unsuspecting users.

Years ago, Disney Channel had a segment of programming for kids around ages eight through ten that was called “Zoog Disney.” The shows in that time slot featured relatable actors facing situations that were specific yet entertaining for kids in this age bracket. The Zoog Disney programming aligned with its Zoog Disney website, which kept the fun going online.

Unscrupulous scammers immediately purchased the domain name “Zoo Disney,” hoping to lure in children and parents who left off the last letter in Zoog.

Of course, stories have circulated for years about a hidden pornography site located at rather than the official government website for 1600 Pennsylvania Ave., Currently, the .com domain runs unsanctioned political content rather than pornography, but the result is the same: much like Zoo Disney, scammers are trying to reach users who miss a letter or mistype their entries.

In a trick called “typosquatting,” websites are set up in hopes that you are confused by the web address or type a little too fast to pay attention to a missing letter here or there. Unfortunately, once a scammer goes to those lengths, there has to be some kind of payoff; these spoofed websites are often filled with malware and other harmful web applications, profiting off your quick fingers.

One of the most common culprits is the “.com” ending that we’re all so used to. Numerous fraudulent sites end with “.cm,” hoping that you were a little too quick with the keyboard. By some accounts, as many as 12 million users a year are redirected to these bogus websites ending in .cm domain names. Once a user ends up at a site like this one—unaware that they’ve mistyped—they’re often flooded with threatening popup boxes that claim their computers are filled with viruses.

There are a few ways to fight back against typosquatting. First, make sure that you type clearly and carefully when you’re entering a web address into the URL bar. If you can bookmark popular sites that you visit frequently, that can also help you avoid potential disaster. Finally, remember never to fall for popup boxes or even browser lockers. Instead, exit out and start a whole new browsing session, and run a quick antivirus scan to be safe.

For toll-free, no-cost assistance, contact the Identity Theft Resource Center at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

For years, consumers have been encouraged to monitor their credit reports annually in order to stay on top of their credit and financial security.

First, you need to understand that there are three different major credit reporting agencies (CRAs) — Experian, Equifax and TransUnion, in addition to many smaller, industry-specific CRAs. The three major CRAs will be the ones that almost all consumers should focus on. Following legislation passed by Congress in 2003, all US consumers are entitled to one free copy of their credit reports each year, from each of the three major CRAs.

Not too long ago, ordering a copy of your credit report was not a simple or rapid process. Now, however, the agencies have adopted technology to help consumers monitor their credit and head off any troubling findings in a much faster way. Experian, for example, maintains a full suite of consumer tools on its website,, to help the public check their Experian credit reports and more.

To access your Experian credit report for free, visit the website and enter your information. This process will not require a credit card and the credit report will be available immediately for you to review on your computer.

That’s the first step. From there, look over the results carefully for errors or signs of fraudulent activity. Is the spelling of your name accurate? Are there open credit cards in your name that you didn’t apply for? Are there personal or home loans, rental agreements or automobile loans that don’t belong to you? If so, you can take action to correct mistakes and cases of fraud.

Fortunately, Experian lets you dispute information on your Experian credit report easily and conveniently on its website in the Dispute Center portal. There are prompts to walk you through the process you can select the information to dispute right from the screen with just a few clicks,  and you receive the results of the investigation within 30 days. The website is also mobile-optimized so you can use your smartphone or tablet to conduct the transaction and upload documents using the device’s camera roll. While you’re waiting for feedback from Experian on the issues you’ve disputed, it’s a good idea to check all of your bank account statements, credit card statements and other sensitive accounts to see if someone has used your existing accounts without your permission (there is a separate process if you have had your existing accounts compromised).

Experian & Identity Theft Resource Center recognize that navigating your way through a case of identity theft is difficult. That is why we have worked together to provide resources to help you. By arming you with some steps you may want to take and tips to help you should you become a victim of identity theft, we hope we can make the process easier for victims of identity theft. For more information, visit

For toll-free, no-cost assistance, contact the Identity Theft Resource Center at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Experian proudly sponsors and provides financial support to the ITRC. The ITRC may feature certain products offered by its sponsors.  We believe these products, as well as similar products generally available in the market, may be appropriate for use by consumers or businesses to reduce the risk of fraud and/or identity theft.  We do not test these products and therefore do not endorse or guarantee the performance or efficacy of any particular product.

In the coming weeks, students across the country are going to experience a major shift in their lives, probably one that is unlike any other developmental milestone they’ve ever faced.

Come June, young people who’ve still had to follow curfews, dress codes, and rules about raising their hand for permission to use the bathroom will suddenly be considered adults.

Whether you’re heading to college or entering the workforce, your life may take a very sharp turn once you hit this milestone. It’s important to be prepared for some of the changes that may be coming your way, especially regarding your financial, medical, and personal identity.

Financial identity

You may have already had a job and a bank account, perhaps even a car loan, but once you finish high school, the dynamic can still shift a little. Your parents might have been joint account holders or co-signers; they may remain on your accounts or you may find yourself with your accounts to be responsible for. Understanding how your financial identity can be put at risk is crucial, especially if you’re going it alone.

Talk to your financial institution about building credit responsibly, but also about protecting your accounts. Your bank account, credit card, loans or any other financial dealings can be susceptible to takeover, and your identity can be used fraudulently to open new lines of credit or accounts. You need to know how to spot the signs of a problem and how to take action to correct it.

Medical identity

Again, this is a time when you may still be on your parents’ health insurance or when you’ll be relying on your own coverage to receive care. But your identifying information can also be used by a thief. If you suddenly receive medical bills or health insurance statements for treatments you never received, prescriptions that aren’t yours or any other related services—whether through your hometown doctor, your student health center or another healthcare provider—contact those offices immediately to report the problem.

Remember, it can be difficult to handle medical identity theft cases because HIPAA privacy laws still cover the person who used your identity. You may need to demonstrate that you were not the person who sought the care and that you are not responsible for any charges or legal fallout from the issue.

Personal Identity Theft

There are many different ways someone can steal and use your identity. New situations like moving into a dorm or apartment, filling out background checks to sign a lease or activate utilities, applying for colleges or jobs and other related scenarios can mean that your identifying information is now in a lot more places than it was when you were a kid. It’s time to understand how your information can be stolen, how to recognize if you might be a victim and what steps to take next. The Identity Theft Resource Center is a great place to start gathering information before a problem comes up, as well as an excellent resource to turn to if something goes wrong.

There’s one more thing to keep in mind as June approaches: if you’re filing a FAFSA application for financial aid to college or technical school, the deadline is June 30. Don’t wait until the last minute, though; if you discover that someone has already filed one in your name, you’ll need time to report the matter and file your legitimate FAFSA in order to avoid missing the opportunity for financial aid consideration. Get your application in quickly so you can have time to address any identity theft problems that possibly arise.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Tech recycling has been a major environmental and security focus in recent years as consumers discard old computers, outdated cell phones, and other devices.

Apart from the danger of leaking these components and their potentially toxic chemicals into a landfill or groundwater, there is the additional risk of an old device falling into the wrong hands, leading to gleaning of the original owner’s data.

Now, consumers are being asked to evaluate their internet-of-things devices. As this technology increases in innovation and new options begin to replace old ones, users will have to keep the same safety and security considerations in mind. It’s not just the concerns over the physical components like contain batteries, copper wiring, mercury, and other toxins, either. An Amazon Alexa, for example, could potentially lead back to your Amazon account, your purchase history, your order history with delivery address, and even recordings of your voice. Likewise, an identity thief would love to get their hands on a medical IoT device that connected your health data to your doctor’s office or medical center, as it “speaks” to and receives messages from your medical records.

Fortunately, e-cycling initiatives have taken hold in many communities around the world. These programs not only keep the electronic components out of the dump, they also ensure that the device is thoroughly wiped clean of user information, old files and photos, and any other data that people wouldn’t want exposed.

Any device that connected to your identifying information, no matter how innocuous or sensitive it might have been, has the potential to be stripped for information by a hacker. Safeguarding your information means ensuring that any information contained within the device or that connected to the device is completely inaccessible. You can search online for e-cycling centers near you before disposing of other devices, but contact them to make sure they can accept IoT devices, especially any medical devices, before bringing them in.

Before discarding any internet-of-things of mobile connected device, wipe it clean of all data and profile information. If you can find the instructions to restore it to factory settings, that is an excellent way to do it. When in doubt, take it back to an authorized retailer for that product and get help determining that your information and your account profile are completely gone, then recycle it with confidence.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.