How Does Identity Theft Work?

As more private and public services move online, we upload more data to the web. Personal information now resides on hundreds, if not thousands, of servers. One downside of our growing digital presence is the rise in identity theft.

In this article, we’ll break down how identity theft works, explore the methods cybercriminals use, and outline the steps you can take to protect yourself. While we focus on the three Nordic countries—Denmark, Sweden, and Norway—the general guidelines apply no matter where you are.

What is identity theft?

Identity theft is when someone obtains and uses your personal information, such as your national identity number, bank account details, or login credentials. The goal is often to steal money, access services, or commit fraud under your name. In practical terms, this can involve buying goods, opening a bank account, registering a telephone subscription, or applying for a credit card or loan using someone else's identity.

The big picture: a surge in cyberthreats that target identities

Cyberattacks and cybercrime are growing in number and getting more sophisticated every year.

In 2023, Europe experienced more cyberattacks than any other region, and online fraud schemes remain a major threat on the continent. While ransomware and romance scams often receive more attention, identity theft is much easier and faster to execute and monetize. National identity numbers, credit card details, and other personal information can be stolen and sold on the dark web or used by criminals for quick profit. Phishing—one of the main identity theft techniques—is still one of the most favored forms of cybercrime.

Recent research from IBM reveals that in 2023, there was a sharp rise in cyberthreats specifically targeting identities. Interestingly, rather than hacking into systems, many attackers are choosing an easier route of logging in using already stolen credentials. This is explained by the abundance of compromised identities on the dark web: It is easier for criminals to obtain valid credentials than to exploit software vulnerabilities or carry out phishing attacks. 

This change in tactics has led to alarming statistics. Attacks using valid credentials surged by 71%, making them one of the most common ways attackers breach systems, alongside phishing. IBM also reported a 266% rise in the use of infostealing malware which can unlock access to accounts. 

As one former identity thief explained to The New York Times: “The reason that people aren’t being victimized is because there simply aren’t enough criminals to take advantage of all the information that’s out there.”

The Nordic context

Several factors make the Nordic countries particularly attractive targets for various types of online fraud. For a comprehensive analysis, see the Nordic threat assessment on online fraud 2024. 

First of all, the level of trust in the Nordics is high, both in interpersonal relationships and in governmental institutions. Trust is a crucial element that facilitates commercial transactions, but it also makes them vulnerable to exploitation.

Second, the Nordics are among the top 20 richest countries in the world measured by Gross National Product (GNP) per capita. People’s wealth and ability to obtain large loans make them desirable targets for fraudsters. The Nordics are also a region with an open economy, relying on international trade. This international exposure further contributes to their increased vulnerability to fraud.

Lastly, the Nordic countries are known for their advanced digital infrastructure, which is deeply integrated with public services. Citizens rely on electronic identification systems like MitID (Denmark) and BankID (Norway and Sweden) to access online platforms for government services, banking, and healthcare. This makes life more convenient but also means that a person’s digital identity is crucial for many aspects of everyday life. 

Overall, this combination of reliance on digital platforms, high levels of trust, and economic wealth creates plenty of opportunities for cybercriminals. In 2023, close to 260,000 online fraud schemes were reported to the police in the Nordic countries, and this number is expected to increase.

How does identity theft happen?

There are several ways someone’s identity can be stolen:

• Phishing scams: Criminals send emails that appear to be from trusted institutions like banks, government agencies, or well-known businesses. These messages often contain malicious links pointing to malware downloads or fake websites designed to steal your login information. Phishing campaigns are mostly carried out via email but can also happen through SMS (smishing) and phone calls (vishing).
• Phone scams: In this variation of a phishing attack, fraudsters call and claim to be from a bank, delivery company, or other trusted organization. They’ll often spoof the caller ID to seem legitimate.
• Data breaches: Hackers steal sensitive information like national identity numbers and passwords from company databases. They can then sell this data on the dark web or use it directly to commit fraud.
• Wi-Fi hacking: Some public Wi-Fi connections are unencrypted, which lets hackers view and exploit the information traveling to and from your device. Cybercriminals can also create fake Wi-Fi hotspots with names that sound like legitimate networks, in what is called an evil twin attack.
• Mail theft or stolen documents: Physical mail containing personal or financial information can be stolen and used for fraudulent purposes.
• Credit card skimming: Criminals use fake card readers at ATMs or point-of-sale systems to steal card data. While physical skimming is a diminishing threat in the EU, relay attacks targeting payment card chips (shimming) are seemingly on the rise. Digital skimming occurs online, where fraudsters steal credit card details from checkout pages.
• Purchase of stolen data on the dark web: The dark web is a vast network of websites and forums that aren’t accessible through standard web browsers. Cybercriminals use the dark web to sell and share information that has been stolen in data breaches.
• Malware: Cybercriminals can install malware on your device through infected email attachments, malicious links, or compromised websites. Once installed, malware can steal personal information, financial data, and login credentials, or spread ransomware or other malicious software. The scale of malware attacks can be staggering. Qakbot, for instance, infected over 700,000 computers, with at least EUR 54 million paid in ransoms since 2007. It took a large-scale international operation to disrupt its infrastructure in 2023.

Protecting yourself from identity theft

Since we often use eIDs and receive emails from trusted sources, it’s easy to be tricked by what seems like a legitimate request. Staying vigilant is the key to protecting yourself from identity theft:

• Be aware of phishing: Never click on links or provide personal information via email or text. 
• Be cautious online: Don’t share personal information on unsecured websites or through unsolicited emails or phone calls. Remember that HTTPS is not a guarantee that a website is legit: In fact, more than half of phishing websites now use HTTPS.
• Never share personal information during phone calls. Don't let yourself be pressured, even if the request states that it is urgent. If you’re in doubt, contact the company or the authority yourself via official channels.
• Monitor your accounts: Check your bank and credit card statements regularly. If you see transactions you do not recognize, contact your bank.
• Enable Two-Factor Authentication: This adds an extra layer of security and makes it more difficult for fraudsters to access your accounts.
• Use strong passwords: Create complex, unique passwords for all accounts and avoid reusing the same password across platforms.
• Secure your devices: Keep your phone and apps updated. Consider using a password manager to store your login credentials. 
• Shred sensitive documents: Destroy documents that contain personal information before disposing of them.
• Avoid using public WiFi: Always check the spelling of a network name before connecting. If you have to connect to public WiFi, always use a VPN. 
• Be cautious with social media: Limit the amount of personal information you share on social media platforms, as cybercriminals can use it for identity theft.

In addition to these general recommendations, each country provides specific guidelines on preventive measures and actions to take if you fall victim to identity theft.

Demark

In 2022, 7 out of 10 Danes were exposed to fraud attempts via phone calls, emails, and text messages, but only 1% became victims.

There have been numerous initiatives to increase awareness about fraud, and you can get a lot of information from official sources, including guides on how to spot fraud and a dedicated guide on identity theft. The Danish Digital Agency created a hotline for digital security that you can call if your personal information has been stolen. If you suspect you were a victim of identity theft, you must report it to the police.

Sweden

Online fraud and digital scams cost Sweden SEK 1.2 billion in 2023. Similar to Denmark, over half the population has received a scam text with approximately 1% of cases being successful.

The Swedish BankID guide on preventing identity theft advises blocking unauthorized changes to your address and exercising caution when sharing personal details, among other things. Identity theft incidents should be reported to the police, who also provide guidelines on protecting yourself from scam calls. 

Norway

A 2022 report showed that 150,000 Norwegians experienced identity theft in the preceding two years. Most cases were connected to online shopping, but identity theft via social media is also rising. 

Victims are advised to notify businesses they have a customer relationship with and close accounts exposed to unauthorized activity. In case of identity theft, one should contact the police.