How does identity theft happen?

Identity theft occurs when your personal information is learned or stolen and then used to pretend to be you.

The methods criminals use to steal your personal information change frequently, particularly those that exploit technology. There are some commonly used methods and they can be divided into four categories.

Over sharing

This is the simplest method and occurs when you provide more personal information than is needed. It also frequently occurs on social networking sites, so it is important to ensure that you have privacy controls in place and don’t accept friend requests from people you don’t know.

Offline methods

Dumpster diving

Going through your rubbish to find items showing personal information, such as credit card and bank statements, bills and envelopes showing a full name (and sometimes a logo of a company where an account is held).

Shoulder surfing

Looking over your shoulder when you use your PIN at an ATM, EFTPOS terminal or your passwords when using the Internet in a public place.

Wallet or document theft

Stealing or acquiring your documents and using the information they include. If this is a wallet, this is likely to be a large amount of information about you, even if the cards are cancelled.

Bogus phone calls

Calling you on the phone and convincing you to provide information or to take some action. This can include giving access to your computer. Callers may pretend to be from a legitimate company or government agency.


Capturing the information encoded into the magnetic strips on the back of credit and EFTPOS cards. This data can then be put onto a blank card and used to access the account.

Online methods


Any software used to cause harm to your computer or device or to subvert it for another use. Malware includes viruses, worms, trojan horses, backdoors, keystroke loggers, screen scrapers, rootkits and spyware.


Unsolicited electronic messages, which can be used to deliver malware or by criminals who are phishing. The Department of Internal Affairs’ Anti-Spam Unit provides help and information about spam, as well as enforcing the Unsolicited Electronic Messages Act.


Luring you into providing information using emails and mirror-websites that look like they come from a legitimate business.


This is the same as phishing but is directed at your mobile phone. As smartphones become more advanced, so does smishing.

Spear phishing

Using websites and email that appear legitimate, to lure you into providing information or taking an action. When the criminal already knows something about your habits they can make these interactions appear to be real.

Methods outside your control


Contacting a business and impersonating you or a legitimate contact to request your account information.

Business record theft

Stealing data from a business where you have an account (which could be computerised or paper records). This is often done in larger numbers than pretexting, but both can involve staff members.


Exploiting vulnerabilities in an electronic system or in computer software to steal your personal information.

The Ministry of Consumer Affairs runs Scamwatch, which provides more information about scams (some of which are created to gain personal information).