Do Commonly Recommended Preventive Actions Deter Identity Theft Victimization? Findings from NCVS Identity Theft Surveys

ABSTRACT

It remains unknown if taking commonly used preventive actions is related to identity theft. In the current study, we use a dataset featuring over 220,000 respondents to the National Crime Victimization Survey Identity Theft Supplement (NCVS ITS). The survey was conducted by the Bureau of Justice Statistics (BJS) first in 2012, then again in 2014, and once more in 2016. The findings reported here suggest that demographic variables (e.g., gender, income) and types of online activities (e.g., frequency of online shopping) are significantly related to identity theft victimization. An interesting additional finding is that among seven distinct types of preventive actions listed in the NCVS ITS survey (frequently checking credit reports, frequently changing passwords for financial accounts, employing purchase credit monitoring, shredding documents containing personal information, monitoring bank statements for suspect charges, using security software programs, and purchasing identity theft protection), shredding documents with personal information ALONE is significantly negatively related to identity theft victimization. All six other preventive actions are either positively related or unrelated to identity theft victimization. These findings generate practical implications and, most importantly, raise the question of whether some newly-fashioned preventive actions might provide better protection from identity theft protection.

KEYWORDS:

• Identity theft
• crime prevention
• NCVS
• cybersecurity

Introduction

Identity theft often involves illegal possession and use of another person’s identity information to gain profit (Hu, Zhang, and Lovrich 2021a). It has become a common crime in the Western world. The Internet Crime Complaint Center (IC3) within the Federal Bureau of Investigation (FBI) reported about 51,000 identity theft complaints that led to $278 million in financial losses in 2021 in the U.S. (Internet Crime Complaint Center, 2022) These official complaints are mostly received by IC3 via its online reporting portal. Many identity theft victims do not report their victimization, so this is a conservative estimate of loss. Harrell (2019) estimates that about 10% of U.S. adults have been victims of identity theft each year over the course of the past decade, resulting in an estimated 26 million crime victims annually. Similarly, the European Commission (2020) reported that about 33% of respondents experienced identity theft in 2019 based on a survey conducted across 30 European countries. Reyns (2013) estimates that about 1.8 million British citizens become identity theft victims each year. To be noted, these figures are estimates based on a combination of self-reported and official data, and information collected among victims who know they are identity theft victims. One of the bedeviling features of identity theft is that victims are often unaware of their victimizations. It follows that the actual number of identity theft victims is likely even larger than the numbers derived from the Harrell and Reyns surveys (Hu, Zhang, and Lovrich 2021a).

Figure 1. ROC Curves and AUC Values of Model 1 (left) and Model 2 (right).

Figure 2. ROC Curves and AUC Values of Model 3 (left) and Model 4 (right).

Figure 3. ROC Curves and AUC Values of Model 5 (left) and Model 6 (right).

Figure 4. ROC Curves and AUC Values of Model 7 (left) and Model 8 (right).

Figure 5. ROC Curves and AUC Values of Model 9 (left) and Model 10 (right).

Another noteworthy feature of identity theft is that individuals can become identity theft victims even if they do not engage in high-risk behaviors. People can experience identity theft by losing their wallets or purses, getting baited by pretext calls and skimming, or replying to innocent-appearing junk email messages (Allison, Schuck, and Lersch 2005; Hu, Zhang, and Lovrich 2021a). Likewise, data breaches can also lead to the leaking of personal information to nefarious parties. For example, the data breach of Capital One records led to the leaking of personal information for over 100 million customers (Chapple 2019). The data breach of the American Medical Collection Agency similarly affected millions of agency patients (Chapple 2019). In like manner, the data breach of the Equifax Credit Bureau impacted an estimated 147 million individuals (Cowley 2019).

Researchers and public officials alike started paying close attention to identity theft over a decade ago. The National Crime Victimization Survey (NCVS) team first included questions related to identity theft in their 2004 questionnaire (Baum 2006). Later, the NCVS started using the Identity Theft Supplement (ITS). As of 2021, the ITS has been implemented five times – in 2008, 2012, 2014, 2016, and 2018. Identity theft commonly involves both monetary and nonmonetary consequences (Hu, Zhang, and Lovrich 2021a). Although it is nearly impossible to completely eliminate the risk of being victimized by identity theft, many people take precautions to reduce their risk (Hu, Zhang, and Lovrich 2021a). Prior studies have focused primarily on the demographic characteristics and types of online behavior that predict identity theft victimization (e.g., Allison, Schuck, and Lersch 2005; Reyns 2013). However, it remains unknown if taking commonly employed preventive actions effectively reduces one’s exposure to identity theft victimization.

In an attempt to fill this research gap, we make use of survey data drawn from the National Crime Victimization Survey Identity Theft Supplement (NCVS ITS). This study explores two empirical research questions: 1) are identity theft preventive actions related to one’s likelihood of identity theft victimization? and 2) do identity theft preventive actions play a different role in explaining identity theft victimization for prior victims and for non-prior victims? The research limitations of this study are identified and discussed, and the public policy implications of our reported findings are discussed in some detail.

Literature review

Identity theft: definition, impact, and victims

Like many concepts in broad use in criminal justice, there is no universally accepted definition of identity theft. The public often views identity theft as a crime involving someone stealing a credit card and/or bank account information and gaining some form of financial benefit as a consequence. In academia, some scholars use the broader term ‘identity fraud’ (Pontell 2002). However, one element of fraud in statutory law and common law alike requires some form of direct communication between victims and offenders (Golladay and Holtfreter 2017); identity theft does not always involve such interpersonal exchange (Reyns 2013). For instance, ‘old-fashion’ identity theft often involved the theft of wallets and dumpster diving for personal information (Allison, Schuck, and Lersch 2005). Victims do not know who steals their wallets or opens new accounts with their identity until a suspect is identified. ‘Modern’ identity theft often entails spam and junk emails with fake hyperlinks providing a means for victims and offenders to interact. In the case of major and minor data breaches, victims definitely have no idea of who has stolen their financial identities.

Despite the presence of some diversity in how identify theft is being conceptualized in the criminal justice arena, a generally accepted definition among scholars holds that identity theft entails the ‘the unlawful use of another person’s personal identifying information’ (Piquero, Cohen, and Piquero 2011, p. 438). Identity thieves may either directly use another’s identifying information to open new accounts and/or make purchases, or they can sell the personal information to other thieves. While a useful conceptualization, this commonly used definition does not entirely overcome the problem of documenting the occurrence of identity theft. For example, victimization surveys such as the NCVS ITS typically treat unauthorized use of existing credit cards as one measure of identity theft (Copes et al. 2010; Hu, Zhang, and Lovrich 2021a). In contrast, research that relies upon police records and offender interviews often does not count credit card misuse as a form of identity theft (Copes and Vieraitis 2009a; Rebovich 2009). For example, Copes et al.’s (2010) study suggests that ‘including existing credit card fraud may obscure the fact that those who are female, black, young, and low income are disproportionately victimized by existing bank account fraud’ (p. 1045). Given these considerations, the best research approach would seem to be to separately analyze each type of identity theft (e.g., misuse of existing bank accounts, misuse of existing credit cards, and opening of new accounts) instead of analyzing identity theft as a whole.

Despite the unsettled definition of identity theft as a crime, its social cost is undoubtedly massive, including monetary loss, emotional distress, and physical distress. An early study estimated that the direct costs of identity theft were $15.6 million in 2006 (Piquero, Cohen, and Piquero 2011). Other studies analyzed NCVS ITS surveys and estimated that the monetary losses were $24.7 billion in 2012, $15.4 billion in 2014, and $17.5 billion in 2016 in the U.S. (Harrell 2019; Harrell and Langton 2013; Harrell 2015). A recent study reported that identity theft victims experienced losses of ~$850 on the average (Harrell 2019). If they were victims of the opening of new accounts, the average losses were $3,460 (Harrell 2019).

Emotional and physical distresses are not uncommon among identity theft victims. Golladay and Holtfreter (2017) reported that identity theft victims often experienced severe headaches, had trouble sleeping, experienced rage and anger, and in some cases suffered from prolonged depression. Randa and Reyns (2019) reported that victims of identity theft were more likely to experience distresses as the length of time their cases dragged out before they were ultimately cleared up. The time spent on resolving identity theft cases could range from mere hours to many days, and in some cases the problem persists for years (Copes et al. 2010; Piquero, Cohen, and Piquero 2011).

The demographic traits of identity theft victims are, in general, different from those of violent and property crime victims (Hu, Zhang, and Lovrich 2021a). For example, compared to victims of violent and property crimes, victims of identity theft are usually older (Golladay 2017). Individuals between 25- and 64-year-old are likely to be identity theft victims (Anderson 2006; Harrell 2019). Regarding gender and race, findings are not consistent. Some studies have found that males were more likely to be victims of identity theft than females (e.g., Allison, Schuck, and Lersch 2005; Anderson 2006), while others have reached the opposite conclusion (e.g., Reyns 2013). Some studies found that minorities were disproportionately likely to become identity theft victims (e.g., Anderson 2006), while some scholars have argued that Whites were more likely to be the victims of these crimes than minority people (e.g., Allison, Schuck, and Lersch 2005; Harrell 2019). Unlike street crimes, individuals with higher incomes are more likely to be identity theft victims than persons of modest means (Anderson 2006; Harrell 2019; Reyns 2013). Studies have found that persons with annual incomes of $75,000 or higher were significantly more likely to become identity theft victims when compared to persons with incomes of $25,000 or lower (Anderson 2006; Harrell 2019). Marital status and the number of children in the household may also impact identity theft victimization. Married individuals and households with three or more children are more likely to be victims of identity theft than non-married individuals and childless households (Anderson 2006; Reyns 2013).

In the increasingly virtual and online age in which we live, individuals’ online behavior – particularly online purchasing of goods and services – has been shown to increase the likelihood of identity theft victimization. For example, Holtfreter et al. (2015) found that individuals with low self-control tended to engage in more risky online purchasing (e.g., purchase things online with unknown people). Another study reported evidence that people who used email and online banking frequently were more likely to experience identity theft than people who less frequently use email and engage in online banking (Reyns 2013). Also, people who engaged in downloading files were more likely to be victims of identity theft than those who did not (Reyns 2013). A recent study suggested that whether individuals purchased things online and how often they made online purchases would impact likelihood of identity theft victimization (Hu, Zhang, and Lovrich 2021a). How individuals perceive their risks of being identity theft victims perhaps influences their actual identity theft victimization. For example, Reisig, Pratt, and Holtfreter (2009) found that people who articulated a higher perceived risk of cybercrime victimization tended to spend less time online and make fewer online purchases. In contrast, Reyns (2013) reported that people with higher perceived risk were three times more likely to become identity theft victims, a finding likely attributable to the fact that these people might have been victimized previously. Some studies found that prior identity theft victimization had a significant relation with later identity theft victimization (Hu, Zhang, and Lovrich 2021a).

Preventing identity theft: commonly advised and often used preventive actions

Identity theft is considered an easy and relatively low-risk criminal activity for many offenders (Copes and Vieraitis 2009a). The clearance rate for identity theft is relatively low, a fact which highlights the importance of prevention (Allison, Schuck, and Lersch 2005; Hu, Zhang, and Lovrich 2021a). In response to various identity theft methods, studies have suggested the use of several preventive actions. Broadly, the preventive methods can be divided into two basic types; proactive preventive (prevention) actions and reactive actions (detection) (also see Gibert and Archer 2012). The following two sections review first the proactive and then the reactive actions in some detail.

Proactive actions

The primary purpose of proactive actions is the prevention of identity theft before it occurs. A traditional means used by identity theft offenders include theft of wallets, dumpster diving, and the stealing letters and packages sent in the mail (Allison, Schuck, and Lersch 2005; see also Copes and Vieraitis 2009b). Accordingly, preventive action against the traditional means of identity theft entails the shredding of documents containing personal information (Dean, Buck, and Dean 2014). Based on previous findings, the preventive effect of this action is promising (e.g., Burnes, DeLiema, and Langton 2020; Lai, Li, and Hsieh 2012). Using a sample collected from a large U.S. university, Lai, Li, and Hsieh (2012) found from their SEM analysis that conventional coping (e.g., the shredding of bank statements) was effective in reducing identity theft occurrences. Burnes, DeLiema, and Langton (2020) analyzed NCVS ITS data and found the consistent result that the shredding of personal documents was effective in reducing identity theft victimization.

Frequent change of passwords is one of the potentially successful strategies to prevent online identity theft (Burnes, DeLiema, and Langton 2020: Dean et al., 2014). Some studies have found that frequent password changes of financial accounts reduced identity theft victimization (e.g., Burnes, DeLiema, and Langton 2020; Lai, Li, and Hsieh 2012). While Williams (2016) found that changing passwords was actually positively associated with victimization, he concluded that previous victimization experiences raised caution on identity theft, leading to changing passwords often. However, Reyns and Henson (2016) reached a different conclusion – namely, that regular password change has no preventive effect on online identity theft victimization.

Online security software use has been suggested as another effective proactive method to prevent identity theft (Holt and Turner 2012). However, some studies have called into question the effectiveness of security software for preventing general online crime victimization. While some studies have reported evidence that security software significantly reduced cybercrime victimization (e.g., Choi 2008; Holt and Turner 2012), other studies have reported that security software did not notably reduce cybercrime victimization (Holt and Bossler 2008; Leukfeldt 2014; Marcum 2008). The same pattern is observed in the identity theft research. Holt and Turner (2012) found that using security software significantly reduced online identity theft victimization of individuals at high risk of identity theft, while other studies produced a different result. Williams’s (2016)’s multi-model analysis also revealed the consistent result that using security software was negatively associated with online identity theft victimization. However, using cybercrime victimization survey data collected in the Netherlands, Leukfeldt (2014) found that using security software did not substantially reduce phishing victimization. From their analysis of the Canadian General Social Survey (GSS), Reyns and Henson (2016) also reported the same result – namely, that the use of security software did not appreciatively affect online identity theft victimization.

Reactive actions

Early detection is a key to preventing suffering from the difficult consequences associated with identity theft (Albrecht, Albrecht, and Tzafrir 2011). Reactive actions mainly focus on the early detection of identity theft after it first occurs. Those actions include frequent checking of credit reports/bank statements for suspicious transactions and purchasing external services to prevent identity theft (e.g., identity protection insurance and credit monitoring services). In terms of the frequent checking behaviors, studies generally reported a consistent result that checking credit reports/bank statements frequently was an effective form of behavior to prevent identity theft revictimization (Lai, Li, and Hsieh 2012). However, it must be noted that not all identity theft victims will report crimes to the police. For example, some studies have reported that compared to hacking, identity theft and consumer fraud victims were more likely to report their victimization to the police (van de Weijer, Leukfeldt, and Bernasco 2019). Surprisingly, repeated identity theft victims, high-income victims, and highly-educated victims were less likely to report new identity theft victimization to the police than their counterparts (van de Weijer, Leukfeldt, and Bernasco 2019).

While these frequent checking behaviors are generally preventive against identity theft, studies examining the effectiveness of external protection services such as commercial identity theft protection insurance/credit monitoring revealed that using such services had either no association or even a positive association with identity theft victimization (Burnes, DeLiema, and Langton 2020; Hu, Zhang, and Lovrich 2021a). This correlation with victimization may be a direct consequence of prior victimization experiences leading to the purchasing of external services to prevent future victimization (see Burnes, DeLiema, and Langton 2020; Reyns and Henson 2016; Williams 2016). Additionally, Liu (2019) provided another insightful explanation that identity theft insurance reduces individuals’ perception of identity theft risk and the likelihood of adverse outcomes stemming from high-risk activities, consequently leading to an increased likelihood of identity theft victimization.

The current study

So far, prior studies have focused almost exclusively on citizen demographic characteristics and types of online behavior engaged in for predicting identity theft victimization. However, it remains unknown if taking proactive and/or reactive preventive actions is effective in reducing one’s exposure to identity theft. Unlike traditional crimes, identity theft victims can easily be repeatedly victimized if they do not take self-protective action in time. For example, if a person’s credit card information is stolen, before he or she notifies the bank to cancel the card the thief can continue using this credit card. Additionally, under some circumstances, even if a victim takes action immediately, he or she can do very little to prevent his or her personal identity information from spreading into the hands of malicious parties. For instance, if a person’s social security number (SSN) is stolen by a thief, the wrongdoer can use it to open new accounts and/or sell the private information to another thief (see Data Breach, Chapple 2019). Moreover, the person victimized may have to deal with this issue for a long time because, unlike credit and debit cards, social security numbers cannot be easily changed.

Against this backdrop, this study explores two empirical research questions: 1) are identity theft preventive actions related to one’s likelihood of identity theft victimization? and 2) do identity theft preventive actions play a different role in explaining identity theft victimization for prior victims and for non-prior victims? Analytical methods employed are described in the following section.

Methods

Data

The current study uses survey data on over 220,000 respondents drawn from the National Crime Victimization Survey Identity Theft Supplement (NCVS ITS). The NCVS ITS has been used by several scholars to document factors related to identity theft victimization (e.g., Hu, Zhang, and Lovrich 2021a) and to assess its adverse consequences (e.g., Randa and Reyns 2020). The survey was first conducted in 2008 by the Bureau of Justice Statistics (BJS), and the three waves of the survey used here were conducted in 2012, again in 2014, and once more in 2016. The National Crime Victimization Survey (NCVS) uses a stratified multistage cluster sampling strategy to interview each household member who is aged 12 years and older either in person or via phone in the United States (Hu et al. 2020). The NCVS ITS is a supplement of the NCVS and it interviews household members who are 16 years old or older regarding specific questions related to identity theft victimization after they answer the general questions asked by the NCVS (Bureau of Justice Statistics 2016). The overall response rates are 68.2% in 2012, 66.1% in 2014, and 60.0% in 2016. We combined three waves of the NCVS ITS to maximize the number of cases for analysis. After the three datasets were merged, the sample contained a total of 224,124 observations.

Dependent variables

Although the definition of identity theft is not entirely settled (Copes et al. 2010; Golladay and Holtfreter 2017; Hu, Zhang, and Lovrich 2021a), we make use of the measures the BJS specifies in its identity theft survey. The first three dependent variables measured identity theft victimization related to respondents’ existing accounts. The variable ‘misuse checking/saving accounts’ measured if a respondent’s checking/saving accounts were misused by others in the past 12 months (0 = no and 1 = yes). The variable ‘misuse credit cards’ measured if a respondent’s credit cards or credit card accounts were misused by others in the past 12 months (0 = no and 1 = yes). And the variable ‘misuse other types’ measured if a respondent’s other accounts, including but not limited to cable accounts, iTunes accounts, and PayPal accounts were misused by others in the past 12 months (0 = no and 1 = yes).

The fourth dependent variable, ‘open new accounts,’ asked a respondent if his or her identity information was illegally obtained and used to open new accounts by others. This malicious activity included such things as bank accounts, credit card accounts, loan accounts, and online accounts in the past 12 months (0 = no and 1 = yes). The fifth and final dependent variable ‘information fraudulent’ measured if a respondent’s personal information was misused for other types of fraudulent activities such as renting a house or receiving medical care (0 = no and 1 = yes).

Independent variables

This study explores whether commonly used preventive actions were effective in reducing exposure to identity theft. It employs seven preventive actions specified by the creators of the NCVS ITS; these are all expressed as dichotomous variables. We divided this set of variables into two groups representing proactive and reactive approaches toward risk reduction. The proactive approaches involved actions taken before victimization. The survey measured one traditional proactive approach, asking if a respondent frequently engaged in the shredding of documents such as credit card and bank statements containing personal information (0 = no and 1 = yes). It also used three variables taping into modern proactive approaches born of the digital age. The first one pertains to a respondent frequently changing his or her passwords for financial accounts (0 = no and 1 = yes). The second one involves a respondent using security software programs to prevent misuse of a lost credit card (0 = no and 1 = yes). And the third variable asked a respondent whether he or she purchased identity theft protection from a commercial company (0 = no and 1 = yes).

The reactive approaches entail taking some actions against identity theft, but these actions only detect post hoc identity theft rather than preventing it from happening. The first such reactive variable asked a respondent if he or she frequently checked credit reports (0 = no and 1 = yes), and the second variable asked if he or she frequently checked bank statements (0 = no and 1 = yes). The respondent might notice a suspicious item in credit card reports and/or bank statements, inferring an identity theft might have happened. The victim’s only recourse is to cover the loss, contact the credit card vendor and/or bank in the hopes of preventing future victimization. The current study also used one variable to measure a modern reactive approach entailing ongoing computer-assisted monitoring. It asked a respondent if he or she had purchased credit monitoring services and/or identity theft insurance for recovering losses (0 = no and 1 = yes). Once again, these services only monitor accounts for suspicious (abnormal) purchases and withdrawals rather than preventing identity theft victimization.

Control variables

To explore whether preventive actions do impact likelihood of identity theft victimization, the current study used several conventional control variables, categorized into three groups. The first group of control variables measured a respondent’s demographic background characteristics. Many prior studies have shown that demographic variables can be significant factors associated with identity theft victimization (e.g., Allison, Schuck, and Lersch 2005; Golladay and Holtfreter 2017; Hu, Zhang, and Lovrich 2021a). The variable ‘gender’ measured a respondent’s sex (0 = female and 1 = male). The variable ‘age’ was measured as a continuous variable (Min. = 16 and Max. = 90). The variable ‘race’ contained four groups (1 = White, 2 = African American, 3 = Asian, and 4 = other races) and it was recoded into four dichotomous variables when conducting logistic regressions. The variable ‘ethnicity’ asked a respondent if he or she was a Hispanic (0 = no and 1 = yes). The variable ‘education’ documented a respondent’s educational level (1 = less than high school, 2 = high school and associate degree, 3 = Bachelor degree, and 4 = Master degree and higher). The variable ‘income’ measured a respondent’s estimated annual income (1 = less than $10,000; 2 = $10,000-$19,999, 3 = $20,000-$29,999, 4 = $30,000-$39,999, 5 = $40,000-$49,999, 6 = $50,000-$74,999, and 7 = more than $75,000). The variable ‘married’ captured the respondent’s marital status; married or not (0 = no and 1 = yes), and the variable ‘job’ indicates a respondent’s employment status, that is having a job or not (0 = no and 1 = yes).

The second group of control variables measured a respondent’s living arrangements. Prior studies have discussed a variety of approaches to illegally obtained personal information (Reyns 2013). Some traditional approaches, such as dumpster diving, pertain to thieves entering a community and going through community dumpsters searching for identity-bearing mail discarded by community members (Allison, Schuck, and Lersch 2005). This mail often contains personal information that has not been shredded, information typically linking names, addresses, account numbers, and phone numbers. Additionally, people who move frequently often have mail going to their old addresses; such mail is valuable to motivated identity thieves. Three variables were measured in this group of control measures. The variable ‘moving’ measured a respondent’s moving frequency in the past five years (0 = not move at all, 1 = move one time, 2 = move twice, 3 = move three times, 4 = move four times, 5 = move five times, and 6 = move six and more than six times). The variable ‘gated’ measured if a respondent’s current community was a gated/or walled community (0 = no and 1 = yes). The variable ‘access’ measured if a respondent’s residential dwelling had access control to residents’ mailboxes (0 = no and 1 = yes).

The third group of control variables measured a respondent’s online behavior, as many studies have shown that online behavior, such as online shopping, downloading, and online banking, can significantly increase the likelihood of being victimized by identity theft (e.g., Hu, Zhang, and Lovrich 2021a; Reyns 2013). This group of control measures features three variables. The variable ‘online shopping’ measured a respondent’s online shopping frequency in the past 12 months (0 = never, 1 = 1–50 times, 2 = 51–100 times, 3 = 101–150 times, 4 = 151–200 times, and 5 = 201 and more times). Individuals often choose credit cards and/or debit cards to complete online purchases. The variable ‘payment credit’ asked a respondent if he or she used credit cards to do online shopping (0 = no and 1 = yes), and the variable ‘payment debit’ measured if he or she used debit cards (0 = no and 1 = yes).

Finally, since we combined three waves of the NCVS ITS, a control variable ‘year’ was created (1 = 2012, 2 = 2014, and 3 = 2016). This control variable was later recoded into three dichotomous variables when conducting logistic regressions. About 43% of the cases in the combined sample were collected in 2016 (N = 95,959), followed by 2014 (N = 64,136) and 2012 (N = 64,029). The year 2012 was treated as a reference variable.

Analytical strategies

The current study seeks to determine if taking preventive actions effectively reduces exposure to identity theft, and whether this effectiveness differs for prior victims and non-prior victims. The variable ‘prior victim’ was used to divide the original sample into two subsamples. The variable asked a respondent if he or she was a victim of identity theft prior to the past 12 months (0 = no and 1 = yes). The prior victim sample had 23,624 cases, and the non-prior victim sample had 200,500 cases. A descriptive statistical analysis was then performed to derive a ‘big picture’ of the several independent variables across these two samples. Chi-square tests and independent-sample t-tests were used to examine differences between the two samples regarding a number of variables of interest. Finally, a series of binary logistic regressions were used to identify significant factors related to identity theft victimization emerging under conditions of controlled multivariate comparisons. To illustrate model fit, the receiver operating characteristics (ROC) curve and the area under the curve (AUC) were both generated for each regression model (Hu, Zhang, and Lovrich 2021b). Based on prior studies, a model is considered to be excellent if AUC lies between 0.9 and 1.0. A model is considered to be good if its AUC falls between 0.8 and 0.9. A model is considered to be fair if AUC falls between 0.7 and 0.8. And a model is considered to be poor if its AUC is less than 0.7 (Fawcett 2006; Hu, Zhang, and Lovrich 2021b).

Results

Table 1 displays the study descriptive statistics. Regarding all five measures of identity theft used by the creators of the NCVS ITS survey, prior victims (i.e., those who had been an identity theft victim outside of the past 12 months) were more likely to be victimized again than non-prior victims. These group differences were statistically significant across all five measures. For example, the percentage of victims of opening new accounts among prior victims (1%) was double that of non-prior victims (0.5%). Similarly, the percentage of victims of misused credit cards among prior victims (9.4%) was almost 2.5 times greater than that among non-prior victims (3.8%).

Table 1. Descriptive Statistics for all Variables for Prior Victims and Non-prior Victims.

			Prior Victim (N = 23,624)		Non-Prior Victim (N = 200,500)
Variables			N (%) or Mean (S.D.)		N (%) or Mean (S.D.)		Min	Max	Difference Significance χ^2 or t
Dependent Variables
	Misuse Checking/Saving		1,560 (6.6)		7,080 (3.5)		0	1	538.21***
	Misuse Credit Cards		2,212 (9.4)		7,633 (3.8)		0	1	1,553.62***
	Misuse Other Types		376 (1.6)		1,243 (0.6)		0	1	278.22***
	Open New Accounts		244 (1.0)		917 (0.5)		0	1	135.82***
	Information Fraudulent		188 (0.8)		672 (0.3)		0	1	117.32***
Independent Variables
	Gender		11,058 (46.8)		93,472 (46.6)		0	1	0.30
	Age		50.50 (15.3)		48.40 (18.5)		16	90	19.38***
	Race
		White	20,763 (87.9)		164,354 (82.0)		0	1	514.78***
		African American	1,589 (6.7)		22,451 (11.2)		0	1	441.24***
		Asian	704 (3.0)		9,180 (4.6)		0	1	128.11***
		Others	568 (2.4)		4,515 (2.3)		0	1	2.22
	Ethnicity (Hispanic/non)		1,760 (7.5)		26,420 (13.2)		0	1	630.49***
	Education		2.61 (0.846)		2.22 (0.825)		1	4	66.439***
	Job		15,576 (66.0)		114,934 (57.4)		0	1	631.007***
	Married		14,908 (63.1)		108,106 (54.0)		0	1	716.644***
	Income		5.65 (1.751)		4.95 (1.979)		1	7	54.485***
	Moving		0.72 (1.233)		0.68 (1.134)		0	6	4.425***
	Gated		1,763 (7.5)		15,817 (7.9)		0	1	5.307*
	Access		1,726 (7.3)		15,101 (7.5)		0	1	1.548
	Online Shopping		1.01 (0.829)		0.59 (0.705)		0	5	73.923***
	Payment Credit		14,876 (63.0)		75,646 (37.8)		0	1	5,592.545***
	Payment Debit		8,169 (34.6)		49,987 (25.0)		0	1	1,024.971***
	Check Credit Reports		13,602 (57.7)		81,139 (59.4)		0	1	2,511.481***
	Change Passwords		13,260 (56.4)		62,974 (31.6)		0	1	5,750.259***
	Use Credit Monitoring		4,118 (17.5)		14,982 (7.5)		0	1	2,678.953***
	Shred Documents		20,222 (85.6)		137,115 (68.7)		0	1	2,963.361***
	Check Bank Statements		21,859 (92.7)		152,954 (76.6)		0	1	3,216.715***
	Use Security Software		6,014 (25.6)		30,322 (15.2)		0	1	1,659.821***
	Purchase ID Theft Protection		1,888 (8.0)		7,684 (3.9)		0	1	888.751***
	Year
		2012	5,462 (23.1)		58,567 (29.2)		0	1	384.083***
		2014	5,895 (25.0)		58,241 (29.0)		0	1	173.443***
		2016	12,267 (51.9)		83,692 (41.7)		0	1	859.300***

Note: *p < .05; **p < .01; ***p < .001.

Regarding independent variables among two samples, there were more White respondents in the prior-victim sample and more African American and Asian respondents in the non-prior victim sample. In terms of ethnicity, there were more Hispanic respondents in the non-prior-victim sample than in the prior victim sample. On average, prior victims had higher educational levels, higher incomes, and moved more frequently than non-prior victims. They were more likely to have a job and be married than non-prior victims. Regarding online shopping behavior, prior victims had a higher online shopping frequency than non-prior victims, and they were more likely to use credit and debit cards to complete online purchases.

Regarding preventive actions, prior victims took more protective actions than non-prior victims. Specifically, compared to non-prior victims, prior victims changed their passwords on financial accounts, shredded documents, and checked banking statements for unfamiliar charges more frequently. In addition, they were more likely to purchase credit monitoring services, use security software programs, and purchase identity theft protection from a company. Interestingly, non-prior victims were more likely to check their credit card reports than prior victims.

The next five tables display the results of logistic regression models on the five measures of identity theft used by the authors of the NCVS ITS survey. Table 2 sets forth the results of explaining misused checking/saving accounts among prior victims (i.e., Model 1) and non-prior victims (i.e., Model 2). Model 1 is statistically significant (χ² = 691.53, p < 0.001). The AUC is 0.701, which means the model is considered to be fair with regard to model fit (Figure 1). Compared to males, females were more likely to be identity theft victims. Compared to white respondents, African American respondents were more likely to be identity theft victims. Hispanic respondents were more likely to be identity theft victims than non-Hispanic persons. Respondents who did online shopping and used debit cards more often were more likely to be victims of misused checking/saving accounts. However, respondents who used credit cards more often were less likely to be the victims, which makes rather good sense because debit cards, unlike credit cards, are always related to specific checking/saving accounts. Regarding seven preventive actions, surprisingly, two actions (i.e., checking credit reports and purchasing monitoring protection) were not significant factors, and four actions (i.e., changing passwords, using credit monitoring services, checking bank statements, and using security software) were positively related to victimization by misuse of checking/saving accounts. Based on odds ratio statistics, the most influential preventive action was changing passwords, followed by checking bank statements. Only shredding documents was indicated to be a factor that substantively reduced the likelihood of misused checking/saving accounts.

Table 2. Logistic Regression Models of Misuse of Checking/Saving Accounts.

		Model 1			Model 2
		Prior ID Theft Victims			Non-Prior ID Theft Victims
		b	se	OR	b	se	OR
Demographics
	Gender	−0.181	0.057	0.834**	−0.103	0.267	0.903***
	Age	0.001	0.002	1.000	−0.001	0.001	0.999
	African American	0.354	0.103	1.424**	0.113	0.045	1.112*
	Asian	−0.406	0.214	0.666	−0.574	0.084	0.563***
	Other races	0.194	0.165	1.215	0.370	0.074	1.449***
	White	Reference			Reference
	Ethnicity (Hispanic/non)	0.319	0.097	1.376**	0.005	0.043	1.005
	Education	−0.043	0.037	0.958	−0.006	0.018	0.994
	Job	0.130	0.071	1.139	0.111	0.032	1.117**
	Married	−0.003	0.063	0.997	0.013	0.029	1.013
	Income	0.011	0.020	1.011	0.010	0.008	1.010
Living Environment
	Moving Frequency	0.075	0.023	1.078**	0.092	0.011	1.096***
	Gated Community	0.153	0.125	1.165	0.080	0.060	1.083
	Access Control	0.003	0.129	1.003	0.034	0.061	1.035
Online Behavior
	Online Shopping Frequency	0.141	0.033	1.151***	0.111	0.020	1.118***
	Online Payment with Credit Card	−0.418	0.064	0.658***	−0.207	0.031	0.813***
	Online Payment with Debit Card	0.869	0.063	2.384***	0.883	0.030	2.419***
Traditional Proactive Action
	Shred Documents	−0.172	0.824	0.841*	−0.163	0.034	0.850***
Modern Proactive Action
	Change Passwords	0.605	0.067	1.831***	0.837	0.030	2.309***
	Use Security Software Programs	0.158	0.063	1.171*	−0.014	0.033	0.986
	Purchase ID Theft Protection	0.047	0.105	1.048	0.219	0.058	1.245***
Traditional Reactive Action
	Check Credit Reports	−0.018	0.062	0.982	0.077	0.029	1.080**
	Check Bank Statements	0.601	0.163	1.823***	0.635	0.053	1.886***
Modern Reactive Action
	Use Credit Monitoring Services	0.201	0.078	1.223*	0.236	0.043	1.266***
Year
	Year 2016	0.283	0.076	1.327***	0.309	0.033	1.362***
	Year 2014	0.039	0.091	1.030	0.005	0.040	1.005
	Year 2012	Reference			Reference
Model Fit		χ^2 = 691.53***			χ^2 = 4,058.73***
Pseudo R^2		0.067			0.078

Note: No variable has VIF greater than 3. Abbreviation: se = standard error. OR = odds ratio. *p < .05; **p < .01; ***p < .001.

Model 2 is also statistically significant (χ² = 4058.73, p < 0.001). The AUC is 0.729, which means the model fit is considered to be fair. It has many similar significant factors observed in Model 1, including gender, being African American, online shopping frequency, online payment with credit cards, and online payment with debit cards. There are some differences between Model 1 and Model 2, however. For example, Model 2 indicates that having a job would increase the likelihood of being the victim of misused checking/saving accounts. Regarding seven preventive actions, Model 2 findings suggest that five of them (i.e., checking credit reports, changing passwords, using credit monitoring services, checking bank statements, and purchasing protection) were positively related to identity theft victimization. Based on odds ratio statistics, the most influential preventive action was frequently changing passwords, followed by checking bank statements and using credit monitoring services. Similar to Model 1, Model 2 findings suggest that only regularly shredding documents substantively reduced the likelihood of being a victim of misused checking/saving accounts.

Table 3 shows the models of victimization by misuse of credit cards among prior victims (i.e., Model 3) and non-prior victims (i.e., Model 4). Model 3 is statistically significant (χ² = 861.42, p < 0.001). The AUC is 0.691, which means the model is considered to be poor in fit but acceptable (Figure 2). It indicates that respondents who were male and had higher educational level were more likely to be victims of misuse of credit cards compared to respondents who were female and had lower educational level. Respondents who did frequent online shopping and used credit cards more often were more likely to be victims of misuse of credit cards. Additionally, respondents who used debit cards more often were less likely to experience misuse of credit cards since credit cards were closely related to credit card accounts. Once again, the model suggests that three of the seven preventive actions (i.e., changing passwords, using credit monitoring services, and checking bank statements) were positively related to the victimization by misuse of credit cards. According to odds ratio statistics, the most influential preventive action was checking bank statements, followed by using credit monitoring services. Only shredding documents regularly substantially reduced the likelihood of being a victim of misuse of credit cards.

Table 3. Logistic Regression Models of Misuse of Credit Cards.

		Model 3			Model 4
		Prior ID Theft Victims			Non-Prior ID Theft Victims
		b	se	OR	b	se	OR
Demographics
	Gender	0.111	0.049	1.117*	0.071	0.026	1.074**
	Age	0.008	0.002	1.008***	0.008	0.001	1.008***
	African American	−0.127	0.134	0.880	−0.333	0.062	0.717***
	Asian	0.139	0.125	1.149	−0.092	0.058	0.912
	Other races	0.001	0.185	1.000	−0.057	0.103	0.944
	White	Reference			Reference
	Ethnicity (Hispanic/non)	0.136	0.105	1.145	−0.132	0.052	0.876*
	Education	0.201	0.030	1.222***	0.226	0.016	1.253***
	Job	−0.034	0.061	0.967	−0.012	0.032	0.988
	Married	0.032	0.058	1.033	0.029	0.030	1.029
	Income	0.060	0.020	1.062**	0.060	0.009	1.061***
Living Environment
	Moving Frequency	−0.007	0.025	0.993	0.025	0.013	1.026
	Gated Community	0.092	0.111	1.097	0.087	0.059	1.091
	Access Control	0.109	0.112	1.115	0.107	0.060	1.113
Online Behavior
	Online Shopping Frequency	0.309	0.026	1.362***	0.275	0.017	1.317***
	Online Payment with Credit Card	0.616	0.077	1.851***	0.624	0.036	1.866***
	Online Payment with Debit Card	−0.571	0.061	0.565***	−0.440	0.033	0.644***
Traditional Proactive Action
	Shred Documents	−0.193	0.079	0.825*	−0.122	0.037	0.886**
Modern Proactive Action
	Change Passwords	0.294	0.055	1.341***	0.548	0.029	1.730***
	Use Security Software Programs	0.034	0.054	1.035	−0.024	0.031	0.977
	Purchase ID Theft Protection	0.089	0.087	1.092	−0.015	0.054	0.985
Traditional Reactive Action
	Check Credit Reports	−0.042	0.053	0.959	0.004	0.028	1.004
	Check Bank Statements	0.403	0.147	1.496**	0.629	0.618	1.876***
Modern Reactive Action
	Use Credit Monitoring Services	0.261	0.064	1.299***	0.307	0.039	1.359***
Year
	Year 2016	0.450	0.069	1.569***	0.393	0.033	1.481***
	Year 2014	0.222	0.081	1.245**	0.083	0.040	1.087*
	Year 2012	Reference			Reference
Model Fit		χ^2 = 861.42***			χ^2 = 3,936.78***
Pseudo R^2		0.067			0.078

Note: No variable has VIF greater than 3. Abbreviation: se = standard error. OR = odds ratio. *p < .05; **p < .01; ***p < .001.

Model 4 is also statistically significant (χ² = 3936.78, p < 0.001). The AUC is 0.720, which means the model is considered to be fair with respect to model fit. It has some similar significant factors to those observed in Model 3, including gender, educational level, online shopping frequency, online payment with credit cards, and online payment with debit cards. Model 4 also reveals that African American respondents were less likely to be victims of misuse of credit cards compared to white respondents. Non-Hispanics were less likely to be victims of misuse of credit cards, too. Regarding seven preventive actions, similar to Model 3, Model 4 results suggest that only the shredding of personal information-bearing documents is negatively related to misuse credit cards, while three other actions (i.e., changing passwords, using credit monitoring services, and checking bank statements) were positively related to the victimization. Based on odds ratio statistics, checking bank statements was the most influential prevention action in predicting misuse of credit cards among non-prior victims.

Table 4 sets forth the models of victimization of other types among prior victims (i.e., Model 5) and non-prior victims (i.e., Model 6). Other types of victimization typically include telephone accounts, PayPal accounts, and iTunes accounts. Model 5 is statistically significant (χ² = 183.17, p < 0.001). The AUC is 0.701, which means the model is considered to be fair with respect to model fit (Figure 3). Compared to white respondents, African Americans were more likely to be victims of misuse of other types. Respondents who did not have a job were more likely to be among this type of victim. Purchasing things online with credit cards or debit cards was no longer related to misuse of other types, but online shopping frequency was still significantly and positively related to this type of victimization. Among seven preventive actions, four of them were not significant factors. Three of them (i.e., changing passwords, using credit monitoring services, and using security software) were, once again, positively related to victimization of other types. Changing passwords was the most influential prevention action in predicting misuse of other types among prior identity theft victims, followed by using security software programs and using credit monitoring services.

Table 4. Logistic Regression Models of Misuse of Other Types.

		Model 5			Model 6
		Prior ID Theft Victims			Non-Prior ID Theft Victims
		b	se	OR	b	se	OR
Demographics
	Gender	−0.141	0.112	0.868	0.034	0.062	1.035
	Age	−0.008	0.005	0.992	−0.001	0.002	0.999
	African American	0.553	0.189	1.739**	0.072	0.108	1.075
	Asian	0.226	0.316	1.254	−0.328	0.173	0.720
	Other races	0.398	0.293	1.489	0.680	0.148	1.974***
	White	Reference			Reference
	Ethnicity (Hispanic/non)	0.131	0.208	1.140	0.066	0.101	1.069
	Education	0.043	0.071	1.044	0.110	0.041	1.112**
	Job	−0.289	0.130	0.749*	−0.106	0.073	0.899
	Married	−0.078	0.124	0.925	−0.071	0.068	0.931
	Income	−0.054	0.037	0.947	−0.028	0.019	0.972
Living Environment
	Moving Frequency	0.078	0.044	1.081	0.121	0.024	1.128***
	Gated Community	−0.291	0.276	0.747	−0.048	0.144	0.953
	Access Control	−0.194	0.272	0.824	−0.224	0.150	0.799
Online Behavior
	Online Shopping Frequency	0.347	0.050	1.414***	0.304	0.036	1.355***
	Online Payment with Credit Card	−0.110	0.134	0.896	0.024	0.073	1.024
	Online Payment with Debit Card	0.185	0.120	1.203	0.305	0.069	1.357***
Traditional Proactive Action
	Shred Documents	−0.157	0.164	0.855	−0.116	0.082	0.890
Modern Proactive Action
	Change Passwords	0.693	0.137	1.999***	1.019	0.074	2.771***
	Use Security Software Programs	0.383	0.117	1.467**	0.133	0.073	1.143
	Purchase ID Theft Protection	0.131	0.185	1.140	0.227	0.124	1.255
Traditional Reactive Action
	Check Credit Reports	0.015	0.124	1.015	0.253	0.070	1.288***
	Check Bank Statements	0.086	0.252	1.090	0.264	0.110	1.302*
Modern Reactive Action
	Use Credit Monitoring Services	0.365	0.142	1.441*	0.309	0.095	1.361**
Year
	Year 2016	−0.019	0.138	0.981	0.029	0.075	1.030
	Year 2014	−0.313	0.177	0.731	−0.111	0.090	0.895
	Year 2012	Reference			Reference
Model Fit		χ^2 = 183.17***			χ^2 = 840.43***
Pseudo R^2		0.052			0.064

Note: No variable has VIF greater than 3. Abbreviation: se = standard error. OR = odds ratio. *p < .05; **p < .01; ***p < .001.

Model 6 shows misuse of other types among non-prior identity theft victims. The model is statistically significant (χ² = 840.43, p < 0.001). The AUC is 0.746, which means the model is considered to be fair in terms of fit. It reveals that respondents who had a higher educational level and moved more frequently were more likely to be victims of misuse of other types. Online shopping frequency and online payment with debit cards were significant factors in this type of victimization. Three of the seven preventive actions (i.e., shredding documents, using security software programs, and purchasing identity theft protection) had no impact on misuse of other types. Four actions (i.e., checking credit reports, changing passwords, using credit monitoring services, and checking bank statements) were positively related to misuse of other types. Once again, changing passwords was the most influential prevention action in predicting misuse of other types among non-prior identity theft victims, followed by using credit monitoring services and checking bank statements.

Table 5 shows the findings of the models of victimization of opening new accounts among prior victims (i.e., Model 7) and non-prior victims (i.e., Model 8). Model 7 is statistically significant (χ² = 169.12, p < 0.001). The AUC is 0.725, which means the model is considered to be fair in model fit (Figure 4). Compared to whites and non-Hispanics, African Americans and Hispanics were more likely to be the victims of opening new accounts. Undoubtfully, online shopping frequency was positively related to this type of identity theft. However, surprisingly online payment with credit cards or debit cards did reduce the likelihood of being victims of opening new accounts. Among seven preventive actions, frequently checking bank statements was negatively related to opening new accounts among prior victims. However, four preventive actions (i.e., checking credit reports, changing passwords, using credit monitoring services, and purchasing identity theft protection) were positively related to this type of identity theft victimization. Based on odds ratio statistics, the most influential preventive action was purchasing identity theft protection among prior victims, followed by changing passwords and checking credit reports.

Table 5. Logistic Regression Models of Opening New Unauthorized Accounts.

		Model 7			Model 8
		Prior ID Theft Victims			Non-Prior ID Theft Victims
		b	se	OR	b	se	OR
Demographics
	Gender	0.180	0.138	1.197	0.002	0.072	1.002
	Age	0.001	0.006	1.001	0.002	0.003	1.002
	African American	0.558	0.218	1.746*	0.605	0.101	1.832***
	Asian	−0.288	0.513	0.749	−0.053	0.194	0.948
	Other races	0.232	0.370	1.262	0.896	0.161	2.451***
	White	Reference			Reference
	Ethnicity (Hispanic/non)	0.564	0.213	1.759**	0.310	0.111	1.364**
	Education	−0.036	0.090	0.965	0.106	0.048	1.112*
	Job	0.076	0.169	1.079	−0.213	0.084	0.808*
	Married	−0.172	0.152	0.842	−0.209	0.079	0.811**
	Income	−0.065	0.046	0.937	−0.092	0.022	0.913***
Living Environment
	Moving Frequency	0.079	0.054	1.082	0.074	0.030	1.077*
	Gated Community	−0.304	0.328	0.738	0.157	0.150	1.169
	Access Control	0.094	0.313	1.098	−0.002	0.158	0.998
Online Behavior
	Online Shopping Frequency	0.249	0.071	1.283***	0.220	0.049	1.246***
	Online Payment with Credit Card	−0.662	0.164	0.516***	−0.322	0.089	0.725***
	Online Payment with Debit Card	−0.359	0.156	0.699*	−0.114	0.086	0.893
Traditional Proactive Action
	Shred Documents	0.062	0.214	1.064	0.021	0.098	1.021
Modern Proactive Action
	Change Passwords	0.619	0.167	1.856***	0.897	0.086	2.451***
	Use Security Software Programs	0.268	0.149	1.307	0.055	0.088	1.057
	Purchase ID Theft Protection	0.850	0.193	2.339***	0.863	0.116	2.371***
Traditional Reactive Action
	Check Credit Reports	0.611	0.172	1.843***	0.662	0.086	1.939***
	Check Bank Statements	−0.562	0.246	0.570*	0.176	0.120	1.192
Modern Reactive Action
	Use Credit Monitoring Services	0.409	0.177	1.505*	0.682	0.103	1.977***
Year
	Year 2016	−0.291	0.166	0.675	−0.014	0.088	0.917
	Year 2014	−0.394	0.212	0.748	−0.087	0.105	0.986
	Year 2012	Reference			Reference
Model Fit		χ^2 = 168.12***			χ^2 = 725.08***
Pseudo R^2		0.068			0.071

Note: No variable has VIF greater than 3. Abbreviation: se = standard error. OR = odds ratio. *p < .05; **p < .01; ***p < .001.

Model 8 is also statistically significant (χ² = 725.08, p < 0.001). The AUC is 0.741, which means the model is considered to be fair with respect to model fit. Compared to Model 7, it reveals more demographic variables being related to opening new unauthorized accounts. Specifically, respondents who were married and had a job were less likely to be victims. Online shopping frequency was positively related to this type of victimization and using credit cards to complete online purchasing reduced the likelihood of being victims of opening new accounts. Just like the findings shown in Model 7, four of the seven preventive actions (i.e., checking credit reports, changing passwords, using credit monitoring services, and purchasing identity theft protection) were positively related to opening new unauthorized accounts. Changing passwords was the most influential preventive action in predicting opening new unauthorized accounts among non-prior identity theft victims, followed by purchasing identity theft protection and using credit monitoring services.

Finally, Table 6 shows the models of victimization of using personal information for other fraudulent purposes (e.g., getting a job, renting a house, and receiving medical care) among prior victims (i.e., Model 9) and non-prior victims (i.e., Model 10). While this type of identity theft was not very common, there were still a few significant findings to be noted. Model 9 is statistically significant (χ² = 84.24, p < 0.001). The AUC is 0.693, which means the model is considered to be poorly fitting but acceptable (Figure 5). Compared to males, females were more likely to be this type of identity theft victim. Online shopping frequency was positively related to using personal information for other fraudulent purposes. However, completing online payments with credit cards was a negative factor. Three preventive actions (i.e., changing passwords, using credit monitoring services, and purchasing protection) were positively related to this type of victimization among prior identity theft victims. Based on odds ratio statistics, changing passwords was the most influential preventive action among prior identity theft victims, followed by purchasing identity theft protection.

Table 6. Logistic Regression Models of Victim of Fraudulent Information Being Added to Records &/or Personal Accounts.

		Model 9			Model 10
		Prior ID Theft Victims			Non-Prior ID Theft Victims
		b	se	OR	b	se	OR
Demographics
	Gender	−0.327	0.162	0.721*	−0.162	0.086	0.850
	Age	0.001	0.007	1.001	0.001	0.003	1.000
	African American	0.479	0.259	1.614	0.312	0.126	1.366*
	Asian	−0.030	0.515	0.970	−0.463	0.266	0.629
	Other races	0.669	0.373	1.954	0.261	0.242	1.298
	White	Reference			Reference
	Ethnicity (Hispanic/non)	−0.451	0.369	0.637	0.268	0.127	1.308*
	Education	0.084	0.100	1.088	0.116	0.057	1.123*
	Job	−0.144	0.187	0.866	−0.229	0.097	0.795*
	Married	−0.004	0.178	0.996	−0.077	0.092	0.926
	Income	−0.044	0.053	0.957	−0.101	0.025	0.904***
Living Environment
	Moving Frequency	0.025	0.067	1.026	0.067	0.036	1.069
	Gated Community	−0.247	0.374	0.781	−0.014	0.195	0.986
	Access Control	0.228	0.352	1.256	−0.156	0.204	0.855
Online Behavior
	Online Shopping Frequency	0.175	0.086	1.192*	0.118	0.067	1.125
	Online Payment with Credit Card	−0.467	0.187	0.627*	−0.216	0.108	0.806*
	Online Payment with Debit Card	0.111	0.174	1.117	−0.007	0.103	0.993
Traditional Proactive Action
	Shred Documents	0.167	0.257	1.182	−0.056	0.110	0.946
Modern Proactive Action
	Change Passwords	0.708	0.194	2.031***	0.684	0.099	1.982***
	Use Security Software Programs	0.038	0.174	1.039	−0.051	0.109	0.950
	Purchase ID Theft Protection	0.622	0.235	1.862**	0.573	0.150	1.774***
Traditional Reactive Action
	Check Credit Reports	0.142	0.180	1.152	0.362	0.097	1.436***
	Check Bank Statements	−0.281	0.322	0.755	0.139	0.132	1.149
Modern Reactive Action
	Use Credit Monitoring Services	0.408	0.203	1.503*	0.776	0.124	2.174***
Year
	Year 2016	0.217	0.209	1.242	0.104	0.103	1.109
	Year 2014	−0.311	0.276	0.732	−0.267	0.130	0.766*
	Year 2012	Reference			Reference
Model Fit		χ^2 = 84.24***			χ^2 = 300.66***
Pseudo R^2		0.043			0.039

Note: No variable has VIF greater than 3. Abbreviation: se = standard error. OR = odds ratio. *p < .05; **p < .01; ***p < .001.

Model 10 is also statistically significant (χ² = 300.66, p < 0.001). The AUC is 0.686, which means the model fit is considered to be poor but acceptable. Among non-prior identity theft victims, being Hispanic and having a higher educational level increased the likelihood of being a victim of this type of identity theft. Having a job and a higher income level reduced the likelihood. Online shopping frequency was not a significant factor in Model 10 but completing online purchasing with credit cards was still a negative factor relating to using personal information for other purposes fraudulently. Four preventive actions (i.e., changing passwords, checking credit reports, using credit monitoring services, and purchasing protection) were positively related to this type of victimization among non-prior identity theft victims. Using credit monitoring services was the most influential preventive action, followed by changing passwords and purchasing identity theft protection.

Discussion

Although identity theft has received much research attention in the recent decade, studies on preventive actions remain limited in number and scope. Using three waves of the ITS, this study explores two core research questions: 1) are identity theft preventive actions related to one’s likelihood of identity theft victimization? and 2) do identity theft preventive actions play a different role in explaining identity theft victimization between victims who had been victimized in the past (i.e., prior victim) and victims who had not been previously victimized (i.e., non-prior victim)? Overall, the findings suggest that all three reactive preventive actions (i.e., checking credit reports, checking bank statements, and using credit monitoring services) either have no significant relationship with identity theft victimization or have even a positive relationship with it (with the lone exception of checking bank statements in Model 7). This finding is consistent with some previous findings that reactive preventive actions may not reduce identity theft victimization to any noteworthy degree (Burnes, DeLiema, and Langton 2020; Reyns and Henson 2016; Williams 2016).

There are two possible explanations that might explain these results. First, the reactive preventive actions are not performed to deter identity theft. Instead, these actions are used to reduce loss when identity theft occurs (Hu, Zhang, and Lovrich 2021a). For example, in checking bank statements it is impossible to know if an unauthorized purchase will happen in ensuing months; while it is relatively easy to identify an unauthorized past purchase, it is very difficult to know if future unauthorized purchases are going to be made by nefarious parties in possession of one’s personal information. Second, as with prior research (Burnes, DeLiema, and Langton 2020; Williams 2016), a causal relationship cannot be established in the current study because cross-sectional data are used to explore identity theft. In other words, although the current study can document a positive relationship between reactive preventive actions and identity theft, it is not safe to conclude that reactive preventive actions themselves lead to identity theft. For example, a person may check credit reports and bank statements more frequently precisely because he or she engages in more risky activities that may increase the likelihood of being an identity theft victim. A conservative conclusion within the context of use of cross-sectional data would seem to be that reactive preventive actions likely do not prevent identity theft.

Regarding proactive preventive actions, all three modern proactive preventive actions (i.e., changing passwords frequently, using security software programs, and purchasing identity theft protection) either have a positive relationship to identity theft or have no significant relationship. Our findings reported here are consistent with some prior research reported in the literature (e.g., Holt and Bossler 2008; Leukfeldt 2014; Marcum 2008; Reyns and Henson 2016; Williams 2016). Once again, due to the limitation of the cross-sectional data, the current study cannot draw a solid conclusion that proactive preventive actions themselves increase identity theft. However, if they do, this may be due to two possible reasons. First, as Liu explains in a 2019 study, ‘rational actor’ individuals may underestimate identity theft risk and engage in more risky activities if they think they are safe because of security programs and the identity theft insurance they purchase. Second, individuals must provide their sensitive personal information when they use modern proactive preventive actions. For example, they must reveal their social security numbers (SSN) to agencies to purchase identity theft monitoring protection and to purchase identity theft insurance. Likewise, they must reveal their passwords to security software program vendors and insurers. Such actions inevitably increase the likelihood of sensitive information being breached. In the worst-case scenario, security companies intentionally sell the information for profit.

On a much-needed positive note, the current study’s finding showing that one traditional proactive preventive action – the shredding of personal information-bearing documents – negatively relates to identity theft victimization (Burnes, DeLiema, and Langton 2020; Dean, Buck, and Dean 2014; Lai, Li, and Hsieh 2012). This finding raises the question of whether some ‘new-fashion’ preventive actions might do a better job of identity theft protection than ‘old-fashion’ preventive actions. Regarding the second research question, prior victims were more likely to be victimized again than non-prior victims on all five measures of identity theft used by the authors of the NCVS ITS survey. Besides, the overall findings suggest that commonly employed preventive actions show little efficacy for either prior victims or non-prior identity theft victims.

The current study confirms some previous findings suggesting that online behavior tends to impact different types of identity theft (Holtfreter et al. 2015; Hu, Zhang, and Lovrich 2021a; Reyns 2013). Individuals who shop online more frequently are more likely to be victims of the misuse of their checking/saving accounts, credit cards, and the danger of nefarious persons opening new unauthorized accounts in their names. An interesting finding is that online shopping with credit cards can reduce the likelihood of being victims of misuse of checking/saving accounts and opening new accounts, but increase the likelihood of being a victim of misuse of said credit cards. Meanwhile, online shopping with debit cards can reduce the likelihood of being victims of misuse of credit cards but increase the likelihood of being victims of misuse of checking/saving accounts. This finding fits common logic. Since online shopping platforms often require customers to complete payments online, it seems clear that individuals should prefer using credit cards to debit cards for online purchasing. Reimbursement policies maintained by credit card companies are typically much better than those attached to regular bank or savings-and-loan institutional accounts.

Based on our findings, we propose some noteworthy suggestions on preventing identity theft victimization. First, the significance of online shopping behavior on identity theft victimization indicates that preventive actions related to online behavior should be effective in preventing identity theft (Hu, Zhang, and Lovrich 2021a). However, preventive actions related to online behavior (e.g., changing passwords frequently and using security software programs) would seem to have very poor efficacy. It seems clear that individuals would be well advised to exercise a very high level of care about their online behavior. For instance, individuals should be advised to only visit certified websites – a lock icon in front of a web address shows up in an Internet explorer indicating a certification. Internet users would also be well advised to deal with online payments with great caution (Hu, Zhang, and Lovrich 2021a). Second, most preventive actions measured by the current study, either proactive or reactive, have been found to be of extremely limited efficacy in preventing identity theft. To be noted, the current study shows that conventional preventive actions do not demonstrate great efficacy in the prevention of identity theft.

Nevertheless, our findings do not suggest that these actions are completely useless in dealing with the risk of identity theft. For example, while checking credit reports and bank statements frequently may not reduce the likelihood of future identity theft, investigations made into known cases of identity theft do help the financial institutions and law enforcement identify patterned activities and identify habitual identity theft actors. Moreover, it can help victims detect their victimization early in order to prevent further loss. Also, while purchasing identity theft protection does not prevent identity theft (Hu, Zhang, and Lovrich 2021a) it often can compensate victims for their financial loss.

That said, it may well be the case that individuals may be inclined to underestimate identity theft risk and engage in more risky activities if they think they are safer after purchasing these security programs and insurance (Liu 2019). Policymakers may need to regulate more closely the advertisements made by identity theft protection companies, marketing come-ons which may give their customers false expectations as to their level of safety (also see Hu, Zhang, and Lovrich 2021a, p. 490). Besides, the ‘no-big-difference’ finding between prior identity theft victims and non-prior identity theft victims indicates that most preventive actions do not prevent individuals from being either identity theft victims in the first place or repeated victims. Perhaps the best practice advice is to minimize the sharing of personal information as a general rule of responsible Internet use.

It is unrealistic to ask individuals to limit their use of the Internet, especially after our collective experience with the COVID-19 pandemic. Also, a vast amount of personal data is often stored by commercial companies. A recent study interviewed industry insiders, asking about their perspectives on preventing identity theft. The study points out that ‘there is a pressing need for many companies to update antiquated technology that may be 30 years old or older, and that often is mixed with new technology’ (Piquero et al. 2021, p. 457). Some new information security technologies (e.g., two-factor authentication and biometric identifiers), according to insiders’ knowledge, can be effective tools of fighting identity theft (Piquero et al. 2021). Perhaps the federal government needs to regulate more aggressively those companies that store substantial amounts of personal information to enhance the likelihood of their use of emerging data security technologies.

As with all research, some study limitations require mention. First, the current study only includes online shopping as an indicator of survey respondent online behavior. Many types of online behavior, such as downloading, are not tested in the current study. Furthermore, many types of online payments, such as e-commerce payment systems (e.g., PayPal, Apple Pay, and Zelle), are not tested either. Considering that many individuals have started using these e-commerce payment systems for online purchasing and interpersonal transactions, it is important to include them in future research. Second, the cross-sectional data used in the current study cannot detect any causal relationship between identity theft victimization and preventive actions (Burnes, DeLiema, and Langton 2020; Hu, Zhang, and Lovrich 2021a; Williams 2016). Future research should attempt to implement a longitudinal research design. Panel studies, in which reactive and proactive actions are measured prior to the period in which victimization is measured would solve this problem in future studies.

Third, the current study only focuses on the seven preventive actions measured by NCVS ITS. There may be other preventive actions worthy of exploring, as listed on the Federal Trade Commission (FTC) website (https://www.consumer.ftc.gov/topics/identity-theft). For example, digital personal information can be encrypted. Additional personal credentials can be required for sensitive transactions, such as fingerprints, facial images, retina scans, and similar forms of multi-factor authentication. Technological approaches, such as biometric and dark web scanning, may also help fight identity theft (Piquero et al. 2021). Future research should include explorations of these preventive actions. Finally, the current study analyzes only five commonly-experienced types of identity theft victimization. There are more types of identity theft that have not been adequately studied, such as child identity theft, medical identity theft, and tax identity theft. Future research must be carried out in these important areas as well.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Xiaochen Hu

Xiaochen Hu is an Associate Professor in the Department of Criminal Justice at Fayetteville State University. He received his Ph.D. in Criminal Justice from Sam Houston State University. He conducts both quantitative and qualitative studies related to police decision making, police culture, community-oriented policing, gangs, and criminal justice and mass media.

Jae-Seung Lee

Jae-Seung Lee is an Assistant Professor of criminal justice program at Northern Kentucky University. His research focuses on crime prevention, police-community relations, police practices, and cybercrime.

Nicholas P. Lovrich

Nicholas P. Lovrich is a Regents Professor Emeritus and Claudius O. and Mary W. Johnson Distinguished Professor of Political Science in the School of Politics, Philosophy and Public Affairs at Washington State University. He is a graduate of Stanford University, and received his Ph.D. in Political Science from U.C.L.A. He has worked with federal, state, tribal, campus, county and municipal law enforcement agencies on applications of community policing concepts in carrying out the missions of those agencies over the course of the past three decades.