Total identity fraud losses in the US were estimated at a whopping $43bn last year. While many of us are getting savvier about how we protect our personal information online, can we say the same about our children’s data? Child identity theft is more common than you might think. Almost a million US children were victims in 2022, with incidents costing an average of $1,128 per household and taking 16 hours to resolve. That amounts to a problem costing Americans over $1bn annually.

This alone should be enough to focus our minds on the task in hand. So why is kids’ personal information in such high demand, how is it getting stolen and what can parents do to stop it?

A billion-dollar problem

Fraudsters use children’s identity data for many of the same ends as they do adults’ information:

  • Opening bank accounts to use in money laundering and scams
  • Opening new credit card accounts in order to run up debt
  • Fraudulently obtaining welfare benefits and loans

Why are youngsters’ details so popular among the criminal fraternity? A big part of the attraction is the fact that children typically don’t have bad credit ratings. That means the fraudster has greater confidence that their attempts to monetize stolen identity data will not be blocked by banks or government agencies. The victim themself is also less likely to notice that their identity has been stolen, because—even if they have one – kids won’t be primed to regularly check their bank account or credit report. Scams may go unnoticed for years.

Another popular technique which lends itself well to child identity data is synthetic fraud. This is when a scammer combines personal data from several sources: some real, some fake. A brand-new identity is thus created using that all-important child data to ensure a clean credit history.

How child ID theft happens

The cybercrime underground is a well-oiled machine where different actors have different roles. Cybercriminals will typically harvest personal data and then sell it on dark web marketplaces and forums, for fraudsters to use in follow-on attacks. Once again, the methods for obtaining this data are similar to those used to compromise adults. They include:

  • Phishing via email, social media or even text. Individuals are lured to click on malicious links, potentially installing information-stealing malware, or else tricked into handing over their personal details – perhaps to enter a non-existent prize draw.
  • Third-party breaches. Roughly 1.7 million American children, or 1 in every 43, had their personal information exposed and potentially compromised via a data breach last year, due to no fault of their own.
  • Account takeover: Gaming, social media and even online learning accounts can be valuable troves of identity information. They can be compromised via phishing attacks, brute-force password cracking/guessing and other techniques.
  • Oversharing on social media: Parents can be as guilty as their kids of sharing too much personal information via social accounts. Even birth dates and details about their schooling can be weaponized in follow-on scams designed to elicit more info.
  • Family members: Familial fraud is shockingly common. In an estimated 67% of households that experience child identity fraud, the victim personally knew the perpetrator(s). Close-up access to sensitive documents gives these family members the perfect opportunity, and an assumption of innocence means fraud can go undetected for years.
  • Physical theft: The old ways are still popular, such as seizing documents from the trash or even direct from the mail.

How to keep your child’s identity safe

Fortunately, several tried-and-tested best practices can have a significant positive impact on child identity risk, and need not be too onerous. They include:

  • Avoid oversharing information about your child on social media. Sharenting is best avoided, unless accounts are well locked down.
  • Monitor for unusual activity on your child’s accounts (bank, phone, etc.).
  • Consider a credit freeze for your child with each of the three US credit bureaus (Experian, TransUnion and Equifax). This means banks and other providers would not be able to issue loans/credit in your child’s name.
  • Keep all household machines/devices updated with the latest patches and anti-malware software.
  • Explain to your children the dangers of oversharing on social media, phishing attacks or identity theft.
  • Limit the number of accounts/services your child signs up for. Put in your details where necessary instead.

Spot the warning signs

Alongside preventative measures it makes sense to stay alert to the prospect of fraud attempts using your children’s identity data. The following are tell-tale signs something may be wrong:

  • Unusual or unexpected bills/statements arrive addressed to your child.
  • Welfare benefits are denied because the government claims they’ve already been paid to your child’s Social Security number.
  • IRS letters demanding taxes from your child.
  • Bank account applications are rejected due to poor credit history.
  • Collection agencies start calling asking to speak to your child.

What to do in a worst-case scenario

If the worst happens, it’s important to take action quickly. Get a credit report for your child and if there’s anything there, put an immediate freeze on it. Next up:

  • Report the incident to the Federal Trade Commission (FTC).
  • Report the incident to the police.
  • Notify all three credit bureaus.
  • Notify any organization where your child’s info has been used to open a fraudulent account. Ask them to close it and get written confirmation that your child is not responsible for it.

Identity fraud is a part of life – sadly for our children too. Being a responsible parent in the digital age may require more effort than it did 20 years ago. But doing so is really non-negotiable.

FURTHER READING: 5 warning signs your identity has been stolen

For more do’s and don’ts on the internet, head over also to Safer Kids Online. Also, make sure to watch ‘Hey PUG‘, ESET’s new animated series teaching kids to recognize online threats.