Australian Institute of Criminology

Skip to content


In the 21st century, one of the most pressing international crime problems that confronts developed societies is the creation and use of misleading and deceptive identities (Smith 2011). Identity crime is a complex concept used to refer to a range of methodologies used to commit specific forms of deception and fraud. The creation, theft and misuse of identification evidence lies at the heart of the concept, but the crimes involved invariably entail fraud or obtaining a financial advantage by deception—rather than legislation that proscribes the misuse of personal information itself (Smith 2014, 2011).

Identity crime and misuse of personal information arise in a wide variety of contexts. In the public sector, misuse of personal information has been recognised in income tax evasion, customs duty and Goods and Services Tax fraud, superannuation fraud, obtaining welfare and healthcare benefits achieved through the use of false names, immigration fraud and taking English language tests for someone else. In the private sector, the principal risk areas have been identified as being opening bank accounts in false names and obtaining finance; ATM, online and mobile banking and payment card fraud; funds transfer fraud; and securities and investment fraud. In addition, there are various criminal activities that are reliant on misuse of personal information including money laundering; motor vehicle re-birthing; art and antiquity fraud; obtaining security guard, motor vehicle, boat and shooters’ licences in false names or with the use of fabricated evidence of identity; and even avoiding driving demerit points and local government fees. In the realm of violent crime, individuals have historically sought to avoid detection and prosecution for murder, sexual assault and robbery by pretending to be someone else.

In May 2013, the AIC was commissioned by the AGD to undertake a national survey to determine the extent and impact of identity crime and misuse in Australia. Research of this nature is one in a series of initiatives that are being implemented or developed as part of the National Identity Security Strategy (NISS; AGD 2012a). COAG endorsed the NISS in 2007 as Australia’s national response to enhancing identity security with the purpose of preventing identity crime and misuse, contributing to national security and facilitating the benefits of the digital economy (AGD 2012a, 2012b).

In 2012, COAG reviewed the NISS and identified five guiding principles to shape identity security in Australia in the future. These principles were that:

  • protecting the identity information of Australians is a shared responsibility;
  • the community’s confidence in business and public trust in government is supported by identity security;
  • [in order] to deter crime and foster national security, identity security must be based on a risk management approach;
  • commonly accepted identity credentials must be supported by strong security measures; and
  • identity security needs to be a core feature of standard business processes and systems (AGD 2012a: 3).

These principles were used to develop an overarching framework of responses that have predominantly focused on the enhancement of existing methods, or implementation of improved, automated forms of, both identity document production and authentication. Complementary activity sought to improve community awareness and understanding of identity crime and misuse, including the development of education and awareness materials on the risks of identity crime and misuse, and the preventative approaches that can be taken to minimise that risk.

Four key objectives were chosen as the policy platform to define the 2012 NISS. These objectives were to:

  • prevent and deter identity crime and misuse;
  • detect and measure identity crime and misuse;
  • support Australians recovering from identity theft or loss; and
  • enable trusted online business and interactions through stronger identity security (AGD 2012a: 15).

In early 2013, the AIC undertook research to identify a small suite of indicators that could be used to measure the extent of identity crime and misuse (Bricknell & Smith 2013) and the present survey is one of a number of research activities that aims to populate some of the indicators with quantitative data. The aim was to undertake a small-scale online survey to measure the:

  • personal experience of identity crime—number of contacts, responses and victimisation incidents;
  • manner of contact and response;
  • type of identity crime;
  • financial loss and other impact;
  • reporting and response activities;
  • perceptions of risk over the next 12 months;
  • perceptions of criminality of identity crime; and
  • demographic information—age, gender, residence, urban/regional, income, marital status, education, employment, place of birth, English language usage, Indigenous status, household size, housing.

This report presents the results of the survey undertaken in 2013. It is proposed that the survey will be replicated regularly so that time-series data can be compiled to measure changes in the information gathered from year to year.

Prior research into identity crime and misuse

The use of stolen, fabricated or manipulated identities to commit or enable crime is not a new phenomenon but one in which the potential for falsification and misuse of identity information has been enhanced with the expansion of new technologies (Smith 2011). The scale and impact of these crimes are variable but issues of definition, low reporting rates and inconsistent data recording practices among agencies that detect or deal with these incidents introduces uncertainty around the true prevalence and cost of the problem (Bricknell & Smith 2013).

A number of attempts have been made in Australia in the past to quantify the level of identity crime. The most rigorous, albeit somewhat dated, estimate of the cost of identity crime identified a financial impact of $1.1b (with an estimation error of $130m) for 2001–02 (Cuganesan & Lacey 2003). Thirty-eight percent of that cost was attributable to actual losses incurred ($420m).

Prevalence estimates are more current but only include individual victimisation rates and are based on a narrow set of offences. The ABS’ 2010–11 Personal Fraud Survey (ABS 2012) estimated that four percent of the Australian population aged 15 years and over (n=702,100) had experienced identity fraud in the 12 months prior to the survey. For the purposes of that survey, identity fraud was defined as ‘the theft of personal details without a person’s consent…[that] are then used to engage in fraudulent activities…’ (ABS 2012: np). The majority of identity fraud victims experienced credit card fraud (n=662,300, or 3.7% of the Australian population); the rest described themselves as victims of identity theft (n=44,700, or 0.3% of the Australian population).

In 2013, a study commissioned by the OAIC (2013) was undertaken in which respondents were asked (among other things) whether they or someone they know had ever been the victim of identity fraud or theft. Despite the generality of the question, 13 percent of Australians aged 18 years or over claimed they had been a victim themselves and 21 percent knew someone who had been a victim (OAIC 2013). Overall, a third of respondents (33%) had either been a victim or knew someone who had been a victim of identity fraud or theft.

In the United Kingdom, the prevalence of identity crime has been documented and found to be higher than the data reported by the OAIC (2013). In December 2012, the National Fraud Authority (2013) commissioned a survey with a nationally representative sample of 4,213 adults aged 18 years and over in the United Kingdom to understand the prevalence and cost of identity fraud against individuals. The survey found that identity fraud was estimated to cost adult victims in the United Kingdom £3.3b during 2012 and that 8.8 percent (4.3 million) of UK adults had been a victim, with those who actually lost money (2.7 million) losing an average of £1,203 each. Overall, 27 percent of respondents had been a victim at some point in their lives and 19 percent of those a victim before 2012.

In the United States in 2012, a survey concerning identity theft was administered as a supplement to the Bureau of Justice Statistic’s NCVS, which collects data on crime reported and not reported to the police against persons aged 12 years and over from a nationally representative sample of households. The Identity Theft Supplement questions collected individual data on the prevalence of, and victim response to, the attempted or successful misuse of an existing account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes. Respondents were asked whether they experienced any of these types of misuse during the 12 months prior to the interviews, which were conducted from July 2011 to June 2012. Most of the Supplement questions asked respondents aged 16 years and over about the most recent incident that they had experienced (apart from total financial losses) that related to all incidents experienced during the previous 12 months (Harrell & Langton 2013).

Overall, it was found that 6.7 percent of persons aged 16 and over had been victims of identity theft in the 12 months preceding the interview. In terms of lifetime prevalence, 14 percent of persons aged 16 and over (or 34.2 million persons) experienced one or more incidents of identity theft at some time during their lives. In 2012, 68 percent of identity theft victims reported a combined direct and indirect financial loss associated with the most recent incident, with a mean loss of US$1,769 and a median loss of US$300. In total, identity theft victims reported US$24.7b in direct and indirect losses attributed to all incidents of identity theft experienced in 2012. At the time of the interview, 14 percent of victims had experienced personal out-of-pocket financial losses of US$1 or more. Of these victims who suffered an out-of-pocket financial loss, 49 percent had total losses of US$99 or less, while approximately 18 percent reported out-of-pocket expenses of between US$100 and US$249. An additional 16 percent reported out-of-pocket expenses of US$1,000 or more (Harrell & Langton 2013).

These NCVS survey results show higher prevalence rates for the preceding 12 months than the ABS (2012) and OAIC (2013) Australian results, but lower than the UK (NFA 2013) findings. In terms of lifetime prevalence, the NCVS survey reported a lower prevalence (14%) than that of the United Kingdom (27%), but similar to Australia (13%; OAIC 2013).

The type of personal information at risk of misuse by identity criminals falls into two categories—life history information and financial information. Examples of the former include details of a person’s name, sex, age, address and a variety of numbers used as identifiers when dealing with government agencies and businesses. Examples of the latter include bank account information such as account names, numbers, commencement and expiry dates, and secure numbers and passwords used to conduct secure electronic transactions. In addition, biometric data such as that obtained from fingerprint or facial scanning is a form of personal information that can be misused for the commission of identity crime (Smith 2011).

Personal identification information can be obtained from a variety of sources including accidental data leakage from government or business networks, deliberate harvesting of data through the use of computer hacking, by gathering documents that contain personal information or by social engineering in which individuals are persuaded or tricked into disclosing personal information for subsequent use in criminal activities. Cases of accidental or negligent data leakage that provide a rich source of personal information for potential misuse by criminals continue to be disclosed.

In an attempt to document these sources of illicit personal information each year, Verizon (2013), in collaboration 19 international data providers including the Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, the Police Central e-Crime Unit, the United States Secret Service and others, publishes a report in which the nature and extent of the external forensic investigations that it conducts are quantified. The report found that 621 data breach incidents were recorded in 2012, involving over 44 million compromised records. The highest percentage (92%) of incidents arose from parties external to organisations. More than half (55%) of breaches were tied to organised criminal activity, including identity theft (Verizon 2013).

Arguably, the most successful means of dishonestly obtaining personal information online is through the range of activities known as phishing (APWG 2013). Phishing involves the use of technological means coupled with social engineering designed to trick unsuspecting users of the internet into disclosing personal information in response to an unsolicited request, usually received by email. Once this information has been obtained, criminals may sell it to another person or use it to commit identity fraud.

The growth in the number of phishing attacks has been exponential until recently, where it appears to be declining slightly. The actual number of phishing sites is, however, still substantial. The Anti-Phishing Working Group (APWG), which is an industry association formed in 2003 to eliminate identity theft and fraud that results from phishing and email spoofing, found in its survey of sites during the period April to June 2013, that unique phishing attack reports submitted to APWG reached a high of 20,086 in April, slightly less than the 20,908 in April 2011. The number of unique phishing websites detected by APWG during May 2013 was 44,511, some 26 percent higher than in May 2011 (n=35,213). The United States has remained the country that hosts the most phishing websites (APWG 2013, 2011).

Criminal misuse of identity lies at the heart of most consumer scams, with offenders pretending to be other people or businesses in order to trick the victim into participating in the scam, while at the same time making their own identity hard for police to discover. A good example of this concerns the various advance fee frauds perpetrated globally by a group of West Africans and others since the 1980s. Various offenders began working from Nigeria targeting victims across the globe. Confederates and other fraudsters in other African countries, the United States, Britain, Canada, Hong Kong and Japan then began using the same techniques. The scale of these frauds increased considerably and created a global problem for law enforcement. Email has proved to be an effective way of disseminating advance fee letters, as the true identity of the sender is easy to disguise and original supporting documentation unable to be checked for authenticity (Smith 2014).

Each year since 2007, the AIC has collected information on consumer scams by conducting an online survey of Australians who have received scam invitations during the preceding 12 months. In 2012, a high proportion of respondents reported receiving a scam invitation (95%), with almost a quarter responding in some way. Eight percent reported losing money—approximately $8,000 per person or $846,170 in total. The most prevalent scam type involved fraudulent lotteries, although computer support scams were also prevalent. In terms of delivery methods, email was the most common scam delivery method, with 72 percent of respondents reporting having received a scam this way (Jorna & Hutchings 2013).

Of those survey respondents who identified their gender (98%), 16.5 percent of females and 12.4 percent of males reported victimisation in 2012, while respondents in the age categories ‘35 to 44 years’ and ‘over 65 years’ reported the highest percentage of victimisation (16.5% of total respondents within those age categories). In 2012, respondents in the income category $20,000 to less than $40,000 reported the highest percentage of victimisation (20% of total respondents within that income category; Jorna & Hutchings 2013).

In 2012, the Australian Competition and Consumer Commission (ACCC) received 83,803 scam-related contacts, with consumers and businesses suffering just over $93.4m in financial losses. Online shopping scam reports increased by 65 percent since 2011 to over 8,000 contacts and more than $4m in reported losses (ACCC 2013).

In the United States, consumer complaints have been collected annually since 1997 on the Consumer Sentinel Network, which now has over 8 million reports. In the calendar year 2012, 2,061,495 unverified consumer complaints were recorded and classified into 30 categories, with 18 percent relating to identity theft (369,132 complaints). Complaints of identity theft increased 32 percent between 2011 and 2012, and over 128 percent since 2002. Government documents/benefits fraud (46%) was the most common form of reported identity theft, followed by credit card fraud (13%), phone or utilities fraud (10%) and bank fraud (6%). Other significant categories of identity theft reported by victims were employment-related fraud (5%) and loan fraud (2%). Forty-two percent of identity theft complainants reported whether they contacted law enforcement. Of those victims, 68 percent notified a police department. Fifty-four percent of these indicated that a report was taken (FTC 2013).

In 2011 and 2012, AGD commissioned pilot research to quantify the extent of identity crime and misuse in Australia (Di Marzio Research 2012, 2011). Online surveys were conducted in May 2011 and June 2012 by a marketing and strategic research consultancy firm with samples of 1,200 respondents across Australia, weighted according to census population statistics for age, gender and area. Respondents came from an online research panel provided by My Opinions Australia as part of an annual Online Omnibus Survey. In 2011, five percent of respondents indicated that they had had their identity information stolen or misused ‘in the last six months or so’ and this increased to seven percent in 2012. In 2011, 12 percent reported that someone they knew had been victimised, which increased to 17 percent in 2012. More males than females reported victimisation in both 2011 and 2012 and the most prevalent age category for personal victimisation was 45 to 54 years in 2011 and 25 to 34 years in 2012. In 2011, the highest proportion of personal victims came from Western Australia, while in 2012 the highest proportion of personal victims came from Queensland. The most frequently reported manner of commission in both 2011 and 2012 was through ‘loss of credit cards or debit cards’ or ‘via the Internet through virus or bad software’. The most prevalent way in which personal information was used in both 2011 and 2012 was ‘to purchase goods or services’ or ‘to obtain finance, credit or a loan’. Most respondents in both years believed that victimisation of this nature would increase over the next year.

In 2012, AGD determined that more detailed and comprehensive research should be undertaken with a larger sample size that would better reflect the Australian population. With the resources available, the AIC was able to obtain responses from 5,000 participants drawn from an online panel. More rigorous, nationally representative research is being undertaken by the ABS. The ABS will be including a module on personal fraud in its National Crime Victimisation Survey for 2014–15 as part of the ABS’ Multipurpose Household Survey. The survey will collect data about people’s experiences of crime victimisation for a select range of personal and household crimes including personal fraud, although the scope of questions relevant to identity crime and misuse will be more restricted than in the current AIC survey.

Related links

Identity crime and misuse in Australia: Results of the 2013 online survey