Australian Institute of Criminology

Skip to content

Discussion

The present study sought to quantify the nature and extent of identity crime and misuse in Australia by obtaining the views of a large sample of Australians aged 15 years and over who resided across all states and territories. These results form baseline data that may be used to measure changes over time should future, comparable surveys be undertaken on a regular basis. Although differences in sample sizes, survey methodology and questions asked of respondents exist in comparison to prior research of this nature, it is possible to identify some areas of general comparison between the results reported here and comparable research conducted in Australia and overseas.

Perceptions of misuse of personal information

In relation to how respondents perceive the seriousness of the problem of identity crime and misuse, a large proportion of respondents from the present survey indicated that misuse of personal information was very serious or somewhat serious in terms of harm to the Australian economy (96.6%). Almost two-thirds of the respondents (65.2%) also considered that the risk of someone misusing their personal information would increase over the next 12 months.

Both of these perceptions concerning seriousness and likelihood of change were higher than similar perceptions reported by Di Marzio Research (2012), although the questions asked and sampling frame were not exactly comparable to those of the present study. In 2012, 89 percent of respondents to the Di Marzio Research (2012) survey indicated that identity theft and misuse caused them a lot of concern or some concern, while 61 percent believed that the risk of having their identity information stolen or misused would increase.

The survey conducted by the OAIC (2013) found that in total, over two-thirds of Australians expressed concern about the possibility of becoming the victim of identity theft and fraud in the next year (69%); a significant change compared with 2007 (60%; OAIC 2007). The OAIC (2013) also found a large change in the level of concern—a quarter of people interviewed in 2013 said they were very concerned (25%) compared with one in six (17%) in 2007. These findings are considerably lower than those of the present study, where 69 percent of respondents indicated very serious levels of concern. Both the OAIC (2013) and Di Marzio Research (2012) surveys has much lower sample sizes than the present study.

Experience of misuse of personal information

The present survey found that 20.8 percent of respondents reported misuse of personal information at some time during their life, with 9.4 percent reporting misuse of their personal information in the previous 12 months. This is somewhat lower than the lifetime prevalence rate of 27 percent of respondents to the National Fraud Authority’s (2013) survey of identity fraud, but higher than the 8.8 percent of respondents in the United Kingdom who reported experiencing identity fraud in the year 2012. The present survey’s lifetime prevalence rate of 20.8 percent is also much higher than the 13 percent lifetime rate of identity fraud reported by respondents to the OAICs (2013) survey and also higher than the US NCVS lifetime prevalence rate of 14 percent and the 12 month prevalence rate of 6.7 percent (Harrell & Langton 2013).

The present survey’s 9.4 percent rate of reported victimisation in the preceding 12 months is also much higher than that reported by the ABS (2012), which found that four percent of respondents had experienced identity fraud in the preceding 12 months, and arguably higher than Di Marzio Research’s (2012: 7) survey finding that seven percent of respondents experienced identity theft ‘in the last 6 months or so’. These variations are most likely due to the different sampling frames used, data collection techniques employed and focus of questions asked of respondents.

Losses, costs and consequences resulting from the misuse of personal information

Participants who experienced misuse of their personal information in the 12 months prior to the survey were asked how much they were left out-of-pocket as a result. Out-of-pocket losses were defined as being money paid out, excluding any money that they were able to recover from banks and also excluding any costs associated with repairing what occurred.

Over half of the respondents (54.3%) reported being left out-of-pocket with losses ranging from between $1 and $310,000 (mean=$4,101, median $247, SD=$34,062). The majority of participants experienced smaller losses. Total losses amounted to $1,025,250. In addition to these losses, banks and other organisations reimbursed respondents for losses they had suffered, resulting in an additional loss to those banks and other organisations. When the data were weighted, the mean amount reimbursed or recovered was $2,381 and the median amount reimbursed or recovered was $300 (SD=$23,478, n=255). It was found that most participants received reimbursement or recovery of small amounts, with some receiving much higher amounts. The total amount reimbursed or recovered during the last 12 months was $607,164. Finally, just over half of the respondents (56.1%) reported spending money dealing with the consequences of personal information misuse. The financial consequences of misuse of personal information during the 12 month period were, accordingly, total of out-of-pocket losses, amounts reimbursed and the cost of dealing with the consequences of misuse.

In addition to these costs, some participants experienced other consequences, the most frequent of which were being refused credit (14.1%), experiencing mental or emotional stress requiring counselling or other treatment (10.7%) and having been wrongly accused of a crime (5.5%). Participants also reported having spent between zero and 500 hours dealing with the consequences of having had their personal information misused over the previous 12 months, with 95 percent of respondents spending 60 hours or less.

These financial and other impacts are somewhat higher compared with other Australian data. The ABS (2012) found that one in three victims (33.2%) of credit card fraud had lost money, even after receiving reimbursement from banks and other organisations, with 15.2 percent of victims losing $100 or less, 9.1 percent losing between $101 and $500, 4.2 percent losing between $501 and $1,000, and 4.8 percent losing over $1,000. It was also found that just over a quarter (26.9%) of all victims of identity theft in the five years prior to interview had incurred financial losses as a result of the incident(s), with 24.1 percent losing $10,000 or less and 2.8 percent losing more than $10,000.

The Australian Payments Clearing Association (2013) reported scheme credit, debit and charge cards fraud perpetrated in Australia and overseas on Australia-issued cards amounted to $244,984,380 in 2012. Not all of this would fall within the definition of misuse of personal information within the terms of the present research.

In the United Kingdom, however, identity fraud was estimated by the National Fraud Authority (2013) to cost UK adults £3.3b during 2012, with those who actually lost money (2.7 million individuals) losing an average of £1,203 each (the equivalent of A$2,169).

In the United States, identity theft victims reported a total of US$24.7b in direct and indirect losses attributed to all incidents of identity theft experienced in 2012. The NCVS found that 68 percent of identity theft victims reported a combined direct and indirect financial loss associated with the most recent incident, with a mean loss of US$1,769 and a median loss of US$300. In addition to any direct financial loss, six percent of all identity theft victims reported indirect losses associated with the most recent incident of identity theft. Victims who suffered an indirect loss of at least US$1 reported an average indirect loss of US$4,168, with a median loss of US$30. With the exception of victims of personal information fraud, identity theft victims who reported indirect financial loss had a median indirect loss of US$100 or less. At the time of the interview, 14 percent of victims had experienced personal out-of-pocket financial losses of US$1 or more. Of those victims who suffered an out-of-pocket financial loss, 49 percent had total losses of US$99 or less, while approximately 18 percent reported out-of-pocket expenses of between US$100 and US$249. An additional 16 percent reported out-of-pocket expenses of US$1,000 or more.

About 36 percent of identity theft victims reported moderate or severe emotional distress as a result of the incident, although the level of emotional distress varied by type of identity theft. Thirty-two percent of victims of personal information fraud reported that they found the incident severely distressing, compared with five percent of credit card fraud victims. Twenty-two percent of victims of new account fraud reported that the crime was severely distressing. At the time of the interview, 86 percent of identity theft victims had resolved any problems associated with the incident and of these, the majority spent a day or less clearing up the problems, while about 29 percent spent a month or more (Harrell & Langton 2013). Comparing these results with those obtained in the present Australian survey, it appears that median losses were similar to those in the United States, while the proportion experiencing emotional harm was higher in the United States (although definitions of harm differed).

Reporting the misuse of information

As with prior research in Australia and overseas, reporting of misuse of identity was relatively low among survey respondents. Of those who experienced misuse of their personal information in the present survey, 8.9 percent did not report it in any way, 53.5 percent told a friend or family member, 7.8 percent told a government agency or a business organisation and 29.8 percent told a friend or family member as well as a government agency or business organisation. More than a third of respondents (39.5%) did not report the misuse of their personal information because they did not believe anything could be done about it, 23.6 percent were too embarrassed to report it, 23.1 percent did not know how or where to report the matter and 12 percent did not believe it was a crime.

These results are similar to those found in the AICs Online Consumer Fraud Survey 2012 (Jorna & Hutchings 2013). Respondents to this survey, which covered all types of consumer fraud including identity misuse, reported that family and friends were the most common recipients of scam complaints, with 43 percent of the total sample reporting to this category. Overall in 2012, 69 percent of the total sample reported a scam to at least one person or organisation. The most common reasons provided for not reporting scams were ‘unsure of which agency to contact’ (40% of the total sample), ‘I didn’t think anything would be done’ (32%) and ‘not worth the effort’ (29%).

Respondents to the present survey were also asked to specify which government agency or business organisation they had reported to and how satisfied they were with the outcome. The majority of reports resulted in a very satisfactory or satisfactory outcome. Participants were most satisfied with the response provided by Medicare Australia (91.7% responded either satisfied or very satisfied), an internet service provider (91.3%) and a bank, credit union, credit/debit card company or e-commerce provider (89.1%).

In the survey conducted by Di Marzio Research (2012), almost half of the respondents (48%) indicated that private sector organisations were of assistance in recovering stolen identity information, while 32 percent indicated that police were of assistance and eight percent named government agencies.

In the United States, the NCVS found that in 2012, 88 percent of all victims of identity theft reported the incident to one or more non-law enforcement agencies—either government or a commercial agency. About 86 percent of identity theft victims contacted a credit card company or bank to report misuse or attempted misuse of an account or personal information, while six percent of all identity theft victims contacted a credit monitoring service and a further three percent contacted an agency that issues identity documentation. One percent contacted the Federal Trade Commission and another one percent contacted a government consumer affairs agency or other consumer protection organisation. Nine percent of identity theft victims contacted a credit bureau to report the incident.

About nine percent of identity theft victims reported the incident to police. Victims of personal information fraud were the most likely to report the incident to police (40%), followed new account fraud victims (23%) and victims of multiple types of identity theft (22%). Fewer than 10 percent of victims of existing credit card (4%), existing bank account (9%) and other existing account misuse (6%) reported the incident to police. The 91 percent of identity theft victims who did not report an incident to police offered a variety of reasons for not reporting. Among all victims who did not report the incident to police, the most common reason was that the victim handled it another way (58%). About a third (29%) of non-reporting victims did not contact police because they suffered no monetary loss. One in five non-reporting victims did not think that the police could help and another 15 percent did not know how to report the incident to law enforcement (Harrell & Langton 2013).

Behavioural changes resulting from the misuse of personal information

Participants were asked how their behaviour had changed as a direct result of having their personal information misused. The top five behavioural changes were changing passwords (48.5%), being more careful when using or sharing personal information (48.1%), changing banking details (42.5%), reviewing financial statements more carefully (39.6%) and not trusting people as much (39.0%). A minority (5.9%) of participants who experienced misuse of their personal information in the previous 12 months indicated that this did not result in any behaviour change.

In its Personal Fraud Survey 2007, the ABS (2008) asked respondents to indicate how their behaviour had changed as a result of the most recent incident of various types of personal fraud victimisation. In relation to identity theft, 24.5 percent of respondents said that they were more aware or careful, 8.8 percent said they experienced reduced wellbeing, 3.9 percent had changed their internet service provider, email address, payment method, credit card details or internet security, 6.7 percent had stopped engaging, ignored or no longer dealt with that organisation or person, 3.4 percent made changes to contact details or physical or home security and 3.2 percent indicated other behavioural changes (owing to high relative standard error rates, some of these findings were unreliable). In total, 47 percent of respondents had changed their behaviour in some way following identity theft victimisation (the same percentage who indicated changed behaviour following card fraud).

In the United States, the NCVS found that a greater percentage of victims (96%) than non-victims (84%) had engaged in at least one preventive action and that about 12 percent of victims who took preventive action did so in response to experiencing identity theft in the past year. Overall, the two most common preventive actions in 2012 were checking bank or credit statements (75%) and shredding or destroying documents with personal information (67%). A higher percentage of victims than non-victims engaged in both of these preventative actions. However, about 13% of victims began shredding or destroying documents with personal information as a result of experiencing identity theft during the prior 12 months and 26 percent began checking bank or credit statements as a result of the victimisation. Less than 10 percent of victims purchased identity theft protection (4%) or insurance (6%) or used an identity theft security program on the computer (6%) after experiencing identity theft, while about a quarter of victims checked financial accounts or changed passwords on these accounts as a result of the victimisation (Harrell & Langton 2013).

The most serious occasion of misuse of personal information in the previous 12 months

Participants who experienced misuse of their personal information within the previous 12 months were asked further questions about the most serious occasion on which misuse had occurred during this time. The most serious occasion was defined as the occasion that resulted in the largest financial or other harm to the participant.

The top three types of personal information that had been misused were credit and debit card information (52.3%), name (40.2%) and bank account information (31.1%). These results were similar to those reported in Di Marzio Research’s (2012) survey where the most prevalent way in which identity theft or misuse had occurred was loss of credit card or debit card, reported by 35 percent of respondents. Similarly, in the United States, the NCVS found that the majority of identity theft incidents (85%) involved the fraudulent use of existing account information, such as credit card or bank account information and that among identity theft victims, existing bank (37%) or credit card accounts (40%) were the most common types of misused information (Harrell & Langton 2013).

Participants were asked how they believed their personal information had been obtained on the most serious occasion in the previous 12 months. The top five ways were from theft or hacking of a computer or other computerised device (20.0%), from an online banking transaction (19.5%), by email (18.3%), from information placed on a website other than social media, such as online shopping (15.7%) and from an ATM or EFTPOS transaction (11.0%). Di Marzio Research’s (2012) survey also found a high incidence of identity theft and misuse taking place through internet viruses or scams (31% and 27% respectively). In the United States, the NCVS found that approximately one-third (32%) of identity theft victims knew how the offender had obtained their information and of the 5.3 million victims who knew how the identity theft occurred, the most common way offenders obtained information (43%) was to steal it during a purchase or other transaction (Harrell & Langton 2013).

Participants were asked how they believed their personal information had been misused on the most serious occasion in the previous 12 months. The top three reasons were to obtain money from a bank account (excluding superannuation; 35.4%), to purchase something (32.5%) and to apply for a loan or obtain credit (8.1%). Di Marzio Research’s (2012) survey found that 59 percent of respondents believed that their identity information had been used to purchase goods or services and a further 31 percent believed that it had been used to obtain finance, credit or a loan.

Participants to the present survey who indicated that their personal information had been misused to purchase something were asked to specify what was purchased. The most commonly purchased items included airfares and travel, and electronics such as computer equipment and mobile phones.

Participants were asked how they became aware of the misuse of their personal information on the most serious occasion in the previous 12 months. The top three ways were receiving a notification from a bank or financial institution and/or credit card company (43.4%), noticing suspicious transactions in a bank statement or account (33.3%) and receiving a bill from a business or company for which they were not responsible (13.5%). This was similar to the results of the NCVS in the United States, which found that among victims who experienced the unauthorised use of an existing account, 45 percent discovered the identity theft when a financial institution contacted them about suspicious activity on their account. By comparison, 15 percent of victims who experienced the misuse of personal information to open a new account or for other fraudulent purposes discovered the incident when a financial institution contacted them. Victims of these other types of identity theft were more likely than victims of existing account misuse to discover the incident when another type of company or agency contacted them (21%) or after they received an unpaid bill (13%). Twenty percent of victims of existing account misuse discovered the incident because of fraudulent charges on their account, compared with eight percent of victims of other types of identity theft (Harrell & Langton 2013). Participants were asked how much they were left out-of-pocket due to the misuse of personal information for the most serious occasion in the past 12 months (excluding any money that they were able to recover from banks and any costs associated with repairing what occurred). No financial loss was experienced by 43.5 percent of participants. The remaining participants experienced losses ranging from $1 to $310,000. The mean out-of-pocket loss was $5,179.23 in respect of the most serious occasion in the past 12 months.

Participants who had been reimbursed by banks or other organisations, or recovered their losses in other ways, in respect of the most serious occasion recovered between $1 and $310,000. The mean amount recovered was $2,866.09 in respect of the most serious occasion in the past 12 months.

Personal characteristics of those who experienced misuse of personal information in the previous 12 months

The demographics and characteristics of those who experienced misuse of personal information in the previous 12 months were explored in more detail using statistical analysis. Prior research in Australia and overseas has generally presented only simple descriptive statistics without statistically testing the presence and power of relationships between variables. As such, it is not possible to compare the statistical test results obtained in the present study with a number of previous research surveys.

Di Marzio Research’s (2012) survey found statistically significant relationships at the 95 percent confidence level in respect of victimisation (‘over the last six months or so’) and gender, age categories and state of residence. Significant relationships were also found for a number of types of victimisation and perceptions of risk, although statistical test results were not reported for all variables.

The survey conducted by OAIC (2013) found that men (14%) and women (11%) were equally likely to be victimised, victimisation rates were lower for people aged under 25 (2%) and over 65 (9%), and victimisation rates increased with household income (7% of those living in households earning less than $25,000 versus 15% of those living in households earning more than $100,000). The OAIC (2013) survey also found that people who were least likely to be the victims of identity fraud and theft were those most concerned about the possibility of it happening to them. It was also found that younger Australians were the least likely to think that they may become the victim of identity theft and fraud in the next 12 months and that Australians living in Western Australia were most likely to have been a victim of identity theft (18%) or knew someone who was (40%).

In the United States, the NCVS found that a similar percentage of males and females (7%) had experienced identity theft in 2012 and that across all types of identity theft, prevalence rates did not vary significantly by sex. After accounting for whether a person owned a credit card and bank account, prevalence rates for existing credit card and existing banking account misuse did not vary by sex. In terms of age, it was found that persons aged 16 to 17 years (less than 1%) were the least likely to experience identity theft, followed by persons ages 18 to 24 years (5%) and 65 years and above (5%). After accounting for credit card ownership, persons ages 16 to 24 were the least likely to experience the misuse of an existing account, while persons age 65 years and above had a similar prevalence rate as persons aged 25 to 34 years. Among those who had a bank account, persons ages 16 to 17 years and 65 years and above were the least likely to experience bank account fraud. Overall, persons in the highest income category (those with an annual household income of US$75,000 or more) had a higher prevalence of identity theft than persons in other income brackets. After accounting for credit card ownership, persons in the highest income bracket had the highest rate of existing credit card account misuse. Among persons who had a bank account, there were no significant differences in the prevalence of identity theft across income categories, with the exception of the unknown category (Harrell & Langton 2013).

In the present survey, it was found that a number of variables did not have a significant relationship with misuse of personal information in the previous 12 months. They included place of normal residence, age group, gender, language spoken at home and the number of hours spent on a computer or computerised device variable.

A significant relationship was, however, found between experiencing misuse of personal information in the previous 12 months and Indigenous status (Indigenous was defined as those who identified as Aboriginal, Torres Strait Islander, or both Aboriginal and Torres Strait Islander). These results indicate that those who identified as Indigenous were more likely to experience misuse of their personal information.

A significant relationship was also found between individual gross income category and experience of misuse of personal information in the previous 12 months. These results indicate that those in the lowest income category ($18,200 and under) were less likely to experience misuse of their personal information than were those earning $37,001 and above.

A significant relationship was found between perceptions of the seriousness of misuse of personal information and experiencing misuse of personal information in the previous 12 months, with those who had experienced misuse being more likely to perceive it as being very serious. Similarly, a significant relationship was found between perceptions about the risk of misuse of personal information in the next 12 months and experiencing misuse of personal information in the previous 12 months.

Two significant relationships were found between place of normal residence and the place from which personal information had been obtained in respect of respondents who had experienced misuse of their personal information in the previous 12 months. First, it was found that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information lost or stolen from a business or other organisation (ie a data breach). Secondly, it was found that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information obtained from a website other than social media (eg during online shopping).

Further analyses were undertaken to test the relationship between the characteristics of respondents that reported a financial loss and the amount that they reported. No significant relationship was found between the amount of financial loss and age, gender, location, income and Indigenous status.

A significant relationship was found between financial loss and language spoken at home, with those who spoke English having lost significantly more than those who spoke a language other than English at home.

The number of hours spent dealing with the consequences of identity misuse, as well as the amount of money spent, were both found to have a significant medium, positive correlation with amount of financial loss, indicating that the higher the financial loss, the more time and money was spent dealing with the consequences.

Conclusion

In recent years, continued attention has been given to the problem of identity crime by government policymakers, business security analysts and academic researchers. Evidence of the full nature and extent of victimisation is now becoming evident, although differences in research methods have made comparative analysis across jurisdictions problematic. The present research sought to provide up-to-date data on the experiences of a large sample of Australians drawn from all states and territories, concerning their perceptions of the risks of misuse of personal information and the extent to which they have suffered victimisation of this kind. The results indicate that it appears that identity crime continues to affect many Australians. In the years ahead, further survey research will enable trends in the data to be plotted to determine how risks of identity crime change and whether crime prevention initiatives have been effective.

It was found in the present survey that a high proportion of respondents believed that misuse of personal information was serious, with almost two-thirds believing that the risk of someone misusing their personal information would increase over the next 12 months. Both of these perceptions concerning seriousness and likelihood of change were higher than similar findings reported by previous Australian research (Di Marzio Research 2012; OAIC 2013). In terms of reported victimisation, the present survey found that 20 percent of respondents reported misuse of their personal information at some time during their lives, with just over nine percent reporting misuse during the previous 12 months. Although these levels of victimisation differ from previous Australian and overseas research, there is arguably a need to publicise the results of the present survey so that perceptions more accurately reflect the actual levels of victimisation experienced in Australia.

In terms of harms caused by misuse of personal information, the survey found that approximately half of those who had experienced misuse suffered out-of-pocket financial losses totalling over $1m. In addition, banks and other organisations reimbursed victims over $600,000 in respect of claims made during the preceding year. Although such losses relate only to the misuse experienced by those who responded to the survey, this level of financial impact is high. In addition, respondents identified a range of other non-pecuniary impacts including having been refused credit (14.1%), experiencing mental or emotional stress requiring counselling or other treatment (10.7%) and having been wrongly accused of a crime (5.5%). The experience of victimisation also resulted in a range of behavioural changes including reduced levels of trust and increased caution in conducting transactions. Such impacts can have important consequences for personal wellbeing as well as confidence in the online marketplace. Ideally, potential victims of crimes of this nature need to be supported in dealing with the consequences of their victimisation and more importantly, in avoiding victimisation and re-victimisation in the first place.

As occurs with other types of fraud, the levels of reporting to official agencies, including law enforcement agencies, was low, although respondents were generally satisfied with the outcomes when they reported to some government agencies and financial institutions. Almost one-quarter of respondents said that they did not know how or where to report the matter and 12 percent did not report because they did not believe it was a crime. The implementation of the Australian Online Crime Reporting Network may assist to make reporting more attractive to victims of identity crime, although victims’ expectations of the level of assistance available will need to be carefully managed.

The present research also explored the circumstances of the most serious occasion on which misuse had occurred during the previous year. It was found that personal information was most often misused in connection with online commercial transactions, particularly card fraud. Online banking, social media and card-based transactions were thought to have been most often the source of misuse, with stolen information most often used for commercial purchases or to obtain finance.

In terms of the characteristics of victims, it was found that Indigenous Australians were more likely to experience misuse of their personal information than others, while those earning $37,000 and above were more likely to experience misuse. It was also found that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information lost or stolen from a business or other organisation and that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information obtained from a website other than social media (eg during online shopping). Those who spoke English were found to have lost significantly more than those who spoke a language other than English at home. These findings were all statistically significant.

Further research would be required to understand fully the reasons associated with these relationships. Smith and Jorna (2011) have explored some of the vulnerabilities to fraud of those living in regional and remote communities, including their lower levels of income and financial literacy, as well as their increased reliance of online services owing to face-to-face transactions being less available. Other possible areas to explore could include the possibility that people living in rural areas might have higher levels of trust when using online transactions than those in cities, while at the same time having less knowledge of the security weaknesses of the technologies they use. Or perhaps it might also be the case that rural, remote and Indigenous respondents were more willing to report the circumstances of their victimisation, perhaps being less concerned about embarrassment when reporting. Some of these findings might also be an artefact of the survey sampling frame and methodology used. Qualitative research through the use of in-depth interviewing would help to understand and explain the findings presented in this report in more depth.

The results of this survey confirm prior research that misuse of personal information remains an important form of criminal activity in Australia in 2013. The results could be used effectively by those tasked with devising fraud prevention initiatives in a number of ways. For example, it would be possible to provide targeted information to those most likely to be victimised outlining how they could better protect themselves against identity crime and misuse. Such initiatives may result in future surveys of this kind finding reduced levels of victimisation and fewer financial and other consequences for Australians in the years ahead.

Related links

Identity crime and misuse in Australia: Results of the 2013 online survey