The Identity Theft Resource Center (ITRC) supports victims of identity theft, fraud, and scams and offers identity protection education. Each year, they publish a report that summarizes the responses to the questionnaire they send to their constituents. In 2025, they aimed for a broader coterie of consumers and have collated those responses in a report that has me extremely concerned.
To clarify, the individuals who contact the ITRC are not merely victims of a credit card scam or phishing attack. They are individuals whose identity records have been hijacked by criminals — sometimes repeatedly — and who invariably undertake long-term processes to regain their financial stability. Let’s go through some of the findings.
The 2025 ITRC report shows that many of the victims they serve are more security-conscious before their victimization. Yet, they suffer catastrophic financial losses and face a grueling, frequently unresolved recovery process. Their experience fosters a deep skepticism of technological solutions, but they develop a sophisticated system-level understanding of the identity crime ecosystem.
For the general population included in the 2025 report, the primary form of attack is increasingly the compromise of their digital social lives. In contrast, the lives of ITRC victims are dominated by more complex and often financially oriented crimes.
ITRC victims reported that before their compromise, more than 50% used multi-factor authentication, more than 45% had already frozen their credit, and at least 30% did not reuse passwords across different accounts. Those statistics, to me, are shockingly high, and above what I consider “main stream.”
The fact that such a significant portion of this group was already employing strong security measures underscores the sophistication of the attacks they faced. These were not crimes of simple opportunity, but often targeted efforts capable of bypassing standard defenses.
By way of comparison, the general population reported lower adoption rates for the same critical defenses. The ITRC analysts believe that the decline in the use of basic protections may point to a growing “security fatigue” or a false sense of security among the public, thus creating a wider pool of vulnerable targets at a time when criminal attacks are becoming more sophisticated.
Any time someone becomes a victim of a fraud, phishing attack, or identity crime, it is a painful experience. Most people will use the event as a starting point for behavioral change, but “most” isn’t everyone. The ITRC analysts think the intensity of the victim’s response is directly proportional to the severity of the trauma experience. In other words, a less complex incident may prompt a password reset or update, whereas systemic financial fraud forces a complete and lasting re-evaluation of one’s entire digital footprint.
When it came time to quantify the economic impact that crime victims faced, the numbers ran through an entire spectrum. Nearly 20% of both ITRC victims and the general population got “hit” for less than $500. However, the ITRC reported receiving reports of victims who lost funds up to and exceeding one million dollars.
Because the ITRC case load is skewed to helping erase these life-altering financial events, the year-over-year increase in high-value losses across both sets of victims is a critical finding. Analysts suggest that criminals are becoming increasingly adept at monetizing stolen identities and successfully extracting larger sums from victims across the board — regardless of the initial point of compromise.
How confident are these people when it comes to trusting artificial intelligence (AI) to protect them? Actual ITRC victims — having been failed by existing security systems — are profoundly skeptical of this supposed technological silver bullet. In the general population, while most are cautious, they show a greater willingness to place faith in AI solutions. This belief may stem from a less severe breach of their personal sense of security. It may not have exposed them to the systemic, multi-layered failures that ITRC victims often endure during their protracted recovery efforts.
And why is that? Because in both this year’s and last year’s reports, nearly 50% of victims had cases that remained unsolved. Many cases that get resolved take months or even years of persistent effort.
What does this mean for the victims of identity theft? They cannot lease or purchase a car. Their credit (as reported by the three major companies) is in a shambles. They often struggle to rent an apartment or buy a new home. In many cases, they are emotionally detached, and (new to this report’s findings) more than 20% are thinking in terms of self-harm.
Still think you are cyber safe? If you’ve been reading my newsletters, you know I have harped (ad nauseum) about being careful and how you can use best practices to improve your online security and reduce your risk. The ITRC recently created a quick quiz for everyone to test their knowledge by answering a few questions. You’ll even be able to download a PDF version of your results. If you’d like to send me your report, I’ll take the time to provide comments.
You can find the quiz here: https://www.idtheftcenter.org/are-you-cyber-safe/
Thanks, and safe computing!