Online Identity Theft: What It Is and What to Do When It Occurs

Online identity theft is a criminal act that occurs when someone illegally acquires and uses an individual’s personal information to commit fraud or illicit activities in their name.

The stolen information can include login credentials for email accounts, phone numbers, credit card details, as well as data found on documents such as ID cards, tax codes, and driver’s licenses. These pieces of information collectively define our “digital persona” – our personal, financial, and tax profiles – which are scattered online.

In this article, we will explore the most common types of online identity theft, how they occur, and what victims should do.

1. Types of Online Identity Theft
2. How Online Identity Thefts Happen
3. Legal Implications
4. What to Do in Case of Online Identity Theft

1. Types of Online Identity Theft

Digital identity theft can be either total or partial. Criminals can steal all of an individual’s data, essentially cloning their identity, or they may only take the data they consider useful for their purposes.

When personal data is collected from different sources and combined like a collage to create a “new” identity, it is referred to as Synthetic Identity Theft.

In both cases, theft can occur against living individuals or deceased individuals. In the latter circumstance, it is known as Ghosting (Identity theft).

Depending on the purpose for which the theft is committed, digital identity theft can be further categorized into various other types.

Medical Identity Theft, for example, involves stealing an individual’s health data, typically to obtain drugs and medical devices for the black market.

The broadest and most widespread category is Financial Identity Theft, which involves crimes against property since the primary goal of most cybercriminals is monetary gain.

However, online identity theft can also constitute a crime against individuals when it aims to damage their reputation, such as in cases of cyberbullying involving impersonation, or in any context where the data thief pretends to be someone else, an entity, organization, or company, with the intent to defame and denigrate.

2. How Online Identity Thefts Happen

Digital identity theft can occur through various means by which cybercriminals gain access to other people’s electronic devices. Any malware capable of spying and recording data, such as spyware, can be used for this purpose.

According to multiple sources (e.g., Clusit – Italian Association for Information Security in the ICT Security Report 2022), the most common method of stealing personal data is still Phishing, which involves luring victims through deceptive emails. Attackers impersonate trusted entities or companies, typically banks or post offices, and request personal information under the guise of a seemingly legitimate reason.

A vocal variant of phishing is Vishing, where the same mechanism is used, but contact between the perpetrator and the victim occurs via telephone through direct voice communication. If the baiting is done through SMS, it is referred to as Smishing.

In each case, criminals carry out (and often successfully complete) the breach using social engineering techniques closely associated with Phishing and its variants. The primary defense is to increase suspicion. As the proverb goes, “Expect the worst, and you won’t be disappointed” – which holds true in this case.

3. Legal Implications

Given that online identity theft occurs in the vast, limitless realm of the internet, it is challenging to regulate this matter and adapt legislation to the elusive and ever-evolving digital landscape.

Italian law does not have a specific provision for online identity theft. Instead, it is covered by Article 494 of the Penal Code (crime of impersonation) and Article 640ter of the Penal Code (computer fraud).

The punishment for the crime of impersonation ranges up to one year of imprisonment. Computer fraud, which encompasses online identity theft as an aggravating factor, carries a penalty of two to six years of imprisonment and a fine ranging from 600 to 3,000 euros.

From a legal perspective and for the protection of victims, the following points are relevant:

• Online identity theft, in any form, is a criminal offense.
• As a crime of impersonation, it can be prosecuted ex officio. This means that even individuals who are not direct victims (e.g., bank managers whose clients have been targeted and harmed through phishing) can file a complaint.
• Victim reporting is crucial. According to recent judgments by the Supreme Court, failure to report can be used as evidence against the defendant.

4. What to Do in Case of Online Identity Theft

Digital identity theft should be reported to the Postal Police, the branch of the State Police responsible for monitoring cybercrimes.

To assist users, the portal allows online reporting directly from the homepage, under the section “Denuncia per reati telematici” (Report for cybercrimes).

If the fraud has a financial motive, individuals should report it to their financial institution to primarily block access to bank accounts and credit cards. If online identity theft occurs through social media platforms (e.g., Facebook, Twitter, Instagram), individuals should report it to the platform’s support section.

Additionally, it is advisable to report the incident to the Italian Data Protection Authority and the Communications Guarantor Authority for further assistance.