Why Identity Theft Happens

Identity thieves collect personal information — name, date of birth, address, tax file number, bank details — to open accounts, take out loans, or access your existing accounts in your name. Information is obtained through data breaches, phishing emails, physical mail theft, social engineering and social media oversharing.

The Most Important Protections

  1. 1

    Use unique, strong passwords and a password manager

    Reusing passwords is the leading cause of account takeover. When one service is breached, attackers try the same credentials everywhere else. A password manager (Bitwarden is free and excellent; 1Password is premium) generates and stores a unique strong password for every account. You only remember one master password.

  2. 2

    Enable two-factor authentication on critical accounts

    Enable 2FA on your email, banking, superannuation and social media accounts. Your email is the most important — access to your email lets attackers reset passwords for everything else. Use an authenticator app (Google Authenticator, Authy) rather than SMS where possible — SMS 2FA is vulnerable to SIM swapping.

  3. 3

    Check your credit report annually

    In Australia, you are entitled to one free credit report per year from each bureau (Equifax, Experian, Illion). Request at annualcreditreport.com.au or directly from each bureau. Look for accounts you did not open, addresses you have not lived at, or enquiries you did not make. Early detection limits damage.

  4. 4

    Shred documents with personal information

    Bank statements, utility bills, medical letters and anything with your full name, address, TFN or account numbers should be shredded before disposal. A cross-cut or micro-cut shredder ($30–80) is a worthwhile investment. Mail theft from letterboxes is a common physical identity theft method.

  5. 5

    Be cautious with what you share online

    Your date of birth, address, phone number and mother’s maiden name are common security question answers. Avoid posting them publicly. Be wary of online quizzes that collect personal details (“What is your stripper name? First pet + street you grew up on” — this is social engineering for security answers).

  6. 6

    Recognise phishing attempts

    Phishing emails impersonate banks, the ATO, Australia Post and other trusted organisations. Signs: urgency, threats, requests for personal information, links to slightly misspelled URLs (e.g. commbank-secure.com). Never click login links from emails — type the address directly into your browser.

If you suspect you are a victimContact your bank and the relevant institutions immediately. Lodge a complaint with IDCARE (idcare.org — Australia’s national identity and cyber support service, 1800 595 160). Place a credit alert with the credit bureaus to flag unusual activity. Lodge a police report for your records.

Frequently Asked Questions

Visit haveibeenpwned.com — enter your email address to see if it has appeared in known data breaches. If it has, change the password for that service (and any other services where you used the same password) immediately. Enable alerts on haveibeenpwned to be notified of future breaches involving your email.
A VPN prevents others on the same network from intercepting your traffic — useful on public WiFi. It does not protect against phishing, data breaches, social engineering or weak passwords — which are the primary identity theft methods. A VPN is a useful tool but not a primary defence against identity theft. Strong unique passwords and 2FA are far more impactful.