Disguised and Dangerous:
A Deep Dive into Modern Identity Theft

Marike: All right. Welcome to Trend Micro's Spotlight Session where we aim to shine a revealing light on the hidden dangers lurking in today's digital world. In each of these sessions, we're bringing together leading voices from cybersecurity, law enforcement, government, and advocacy organizations to share real-world insights and practical tips. My name is Marike Kuyper, and I'm part of the consumer education team at Trend Micro. Today we're joined by Eva Velasquez, CEO of the Identity Theft Resource Center, also known as the ITRC. They're a nonprofit dedicated to reducing the risk and impact of identity theft by offering free personalized victim assistance. They also conduct in-depth research, advocate for stronger policies, and develop educational materials to help everyone stay informed and protected. Eva, welcome to our Spotlight Session.

Eva: I am so happy to be here. I can't wait to dig in.

Marike: Eva, you spent years at the District Attorney's office and the Better Business Bureau, and now you're leading the ITRC. What first drew you to consumer protection and identity crime prevention?

Eva: Well, thank you for being so kind and saying years—it was decades. I spent decades at the DA's office, and it was where I started my career. I was in the fraud department, and there were a couple of pieces there. The first one is just that the puzzle pieces of putting together what was happening was very appealing to me. But once I realized how few resources we have for this crime type, that was when I was absolutely bit by the bug. It's such an important issue. And when you look at consumer protection on the whole, that is something that affects everybody. This is not a niche problem. So it was a combination of so many problems to solve, mysteries to solve, and so many people to help that I just was like—I love working with fraud and identity crimes, and identity crimes very broadly: identity theft, misuse, scams, fraud, cybercrime—all of those pieces.

Marike: So for viewers who may not actually be familiar, can you explain what identity theft actually is, what it can look like for victims, and also how the ITRC helps them?

Eva: Well, identity theft and misuse really is sort of a two-part equation. So we have identity theft—the stealing of your identity credentials, the information that's needed to prove that you are you. You do that in your everyday life, when you want to apply for a credit card or log into an account, or even open a new account. Someone with that information can pretend to be you. And that's where the misuse comes in. So theft—the stealing of those credentials, and misuse—the actual use of them for some kind of gain, usually monetary gain. But it can be other things, like getting more data. Victims find out about this in a variety of ways. I think a lot of people think it's always just credit cards, something to do with financial instruments. And while it's true that that is often the end goal, you can have financial gain without just opening a credit card in someone's name. You can get medical goods or services, prescriptions, or apply for government benefits in someone's name—like unemployment. We saw a huge spike in fraudulent unemployment claims during the pandemic. So again, there are so many ways that your identity can be misused. Think about all the ways that you use it legitimately, and that is the number of ways it can be misused if those credentials are in the wrong hands. And we at the ITRC help people with direct one-on-one assistance—whether it's recovery assistance because they have discovered that they are a victim, or consumer education if they need help making a decision. I love that we help with this issue across the entire spectrum, no matter where that person is on their journey. Are they a concerned consumer just looking for general information? Have they encountered something that they need help with right now and need to make a decision? Or are they saying, "Oh, I did something, I made a mistake, or this thing happened to me, and now I need recovery help"? And we can help them all along the way—and it's all at no cost to them.

Marike: That's fantastic. So you're really supporting them from raising awareness all the way through to recovery. If it happens, do you think you could give us some examples of what scammers rely on most? Would it be phishing emails, stolen mail, or data breaches? What's the most common thing that you see?

Eva: Well, I'm both biased and the data shifts. I'm biased because we at the ITRC have maintained the largest repository of publicly reported data breaches since 2005, and data breaches really are fueling identity crimes. At the same time, whenever there are new tools introduced or external events that scammers want to exploit, you're going to see that ebb and flow. So, data breaches—I think—is number one. Phishing—oh my gosh! Phishing and social engineering. With AI coming into the mix, the bar for entry for someone to perpetrate these scams is incredibly low. But then I also don't want to forget about things we hear about every day—that analog type of stealing and misuse. You've got a relative that has access to your credentials. Maybe someone stole your mail. Maybe it's a roommate. We talk with foster youth, who unfortunately have their credentials really out in the wild—in local government databases, with biological parents, multiple foster families. So there's both analog and digital. Digital by far has the broader scope and scale, but analog still happens.

Marike: So for these data breaches that you mentioned—they seem really constant these days. I know I'm constantly getting letters in the mail saying my data has been breached from a company. In your opinion, are companies really keeping our data safe, or is the current climate of deregulation making it harder to protect consumers?

Eva: You know, as far as companies keeping it safe, it's really hard to make a broad statement. I think some companies are doing their best. They really are following all of the best practices, meeting more than the minimum standards—but it only takes one vulnerability. I always think about the velociraptors—taking you back to Jurassic Park—how they tested the fences for weakness. That's all they did all day long, and they were just waiting for that five-minute moment when the power was out. That's what the scammers are doing. They're testing for those weaknesses. At the same time, I think for the deregulation question—the jury's out. I don't think we're seeing the results of that yet. We are definitely continuing to see a lot of breaches this year, which I'm very surprised by. We had a record year. We've seen a new baseline over the last couple of years. The normal trend has been you’ll have a peak, then it dips—not crashes, but dips a little—because the bad actors are busy monetizing that data. Then in a year or two or three, they come back. They need a refresh of that data.

Marike: Feels like millions of accounts at a time sometimes, right?

Eva: Oh, good!

Marike: That’s a lot of information.

Eva: They're looking for all of that data, and then they monetize it. It's cyclical, but I think the cycle is shifting a little bit. Too early to tell exactly what it's going to be, but it's something we're keeping an eye on.

Marike: And if you're one of the folks listening who has had your information stolen in a data breach—what should you do? If I get that notification, how soon should I act, and what kind of action should I take?

Eva: I always tell people: react, don't panic. I don't want people having a panic attack or great anxiety, but I also don't want them to shove the notice in a drawer and say, “I'll get to that later.” Take a look at the notice. Make sure you understand specifically what data was breached. Not all breaches are created equal, and the way you remediate or recover from a breach is very different depending on what data was compromised. If your Social Security number and other information was compromised that would allow a thief to open new lines of credit, then I'm going to tell you—freeze your credit right away. That's your first step if it’s not already frozen. Conversely, if your username and password were breached, I'm going to tell you—change your password. Upgrade your password game. So it's really important to know specifically what type of data was breached. And if you can't tell from the breach notice, then I encourage people to contact the company. It’s their responsibility to be transparent and give people the information they need so they can act accordingly.

Marike: So it sounds like—take a moment to take some inventory of what was lost. Figure out what was compromised. Contact them if you don’t know what kind of information they had about you. You mentioned freezing credit. Can you quickly explain what that means, for those who don't know?

Eva: It’s the most proactive and robust consumer protection step available to us. It allows you to take your credit profile—the one lenders use to determine if they'll extend credit—and freeze it so no one else has access to it except for you and the organizations you already have a relationship with. So if a thief has all of your data and tries to apply for a credit card, it can't go through because your credit needs to be thawed. It’s a really easy process now. It used to be very cumbersome. And in fact, I love that we're talking about this because we just received a donation of a tool called Frozen Pii. It was developed by a longtime partner of ours, Tom O'Malley, and he donated it to the ITRC. We're now powering it. It's a one-stop shop for people to come and get the information they need to freeze their credit. The links to the different bureaus are right there. We even have a page with all the specialty bureaus, because many people don't realize how many there are.

Marike: In the U.S., there are three main bureaus. In Canada, I believe there are two. And unfortunately, credit freezing isn’t necessarily available globally, but I know for the United States, it’s available in all 50 states.

Eva: It is.

Marike: That’s wonderful. So, coming back to the data breaches—many viewers tuning in may be small business owners or entrusted with handling customer data. What are some of the biggest risks they should be aware of, and how can they proactively safeguard themselves and their customers?

Eva: I usually tell the small business owners I interact with to treat their business the same way they treat their individual identity. Do things like checking your business credit profile regularly—you can do that on Dun & Bradstreet, but also through the major three bureaus. Sign up for alerts for your business credit cards and bank accounts. Review the business's public records for any unauthorized changes. And as far as protecting their customers—train your staff. That is often the weakest link. I say this not to be pejorative—it’s just reality. We're all being deluged with phishing and scam attempts. Your staff are consumers too. So, good training and creating a culture of cybersecurity, data protection, privacy, and data minimization needs to come from the top down. Have strong policies to safeguard customer data. When it comes to data collection—if you don’t need it, don’t collect it, because if you don’t have it, it can’t be stolen.

Marike: I mean—

Eva: And then retention and disposal. Know there are many things that come with collecting data, and it’s important to follow best practices.

Marike: Does the ITRC actually offer any resources—or do you know of resources—specifically tailored to small businesses or startups that you could point them toward?

Eva: We do offer solutions for small businesses. We have a lot of free resources, and we also have paid resources. We use the money from those paid services to fund our free services for individuals. So not only are businesses getting the great information they need at a very reasonable price—we're not looking to make a profit—but they’re also supporting a nonprofit that's trying to do good in the world.

Marike: That's fantastic—good information for the small business owners listening in. These days, we’re seeing that scams are often AI-powered. Do you think AI is changing the game for scammers and identity thieves? And how can consumers protect themselves as these tools become more sophisticated?

Eva: I do think AI has changed the game 1,000%. It’s no longer possible for individuals to tell—just by appearance—if something is legitimate. Ten years ago, we used to train people to spot fake emails by grammar errors, fuzzy logos, or syntax issues. Some of that still exists, but the level of perfection and sophistication in phishing emails, texts, and fake websites now is astounding. I tell people: it’s impossible to tell. So, go to the source and verify. Especially if you didn’t initiate the contact—whether it’s an email, text, phone call, or social media DM—don’t engage on that platform. Go directly to the source. It’s universal advice. It applies across every platform. If there’s one thing folks remember today, it’s this: go to the source and verify.

Marike: That’s great advice—absolutely. And as you mentioned earlier, it’s not just about credit cards. Identity theft can have fallout across many areas—medical, reputational, and more. What kinds of non-financial consequences do you see most often, and how do you help victims recover?

Eva: When it comes to non-financial consequences, it’s twofold: the domino effect and the emotional impact. With the domino effect, if someone has their identity misused and they’re trying to prove who they are, it can stop them from moving forward. It could be a young person trying to get student loans or someone applying for a job, promotion, or security clearance—or even trying to rent an apartment. Then there’s the emotional impact. Our data shows people lose trust, feel shame and embarrassment. Some even feel suicidal—which is far too common. That emotional toll can make people disengage. They don’t want to tell anyone or ask for help, and their recovery stalls. That’s where we come in. We provide one-on-one recovery plans. What I love about our organization is that we help with immediate needs but also provide educational materials and guides to protect them in the future. We take our time. You get a case manager. You move at your own pace. We want people to feel empowered. Even after going through this, they know they can get back up—and that they’re not alone.

Marike: That's fantastic. It sounds like your support isn't just a one-time phone call. Recovery takes time, and you're there to help at different stages.

Eva: Exactly. We have to help the individual. They’ll have different needs, and we meet them where they are. If it takes an hour or two—fine. If it takes five minutes—also fine. They dictate how we help them. We offer expert advice and create a really nice synergy.

Marike: We’ve heard from other guests that underreporting is real—many victims don’t come forward. Do you have any statistics, or a message for people about overcoming the stigma and seeking help sooner?

Eva: It's hard to get data around a non-event—someone not reporting. But we know from experience that people aren’t coming forward. There’s a sense of shame and embarrassment. Everyone has a role to play—not just the person experiencing it. We need to convey that there’s nothing to be ashamed of. I often tell victims, if you fell and broke your leg, you wouldn’t be mad that you couldn’t set your own bone—you’d go to a doctor. Same thing here: it's beyond your skill set. Get help. And I think folks in this space—like us—and the media have an obligation in how we talk about victims. I still see language like “duped,” “fell for it,” or “how could they not see that?” That adds to the shame. Even if it’s not said aloud, people feel it. Especially with seniors, we need to be careful. Many fear that if they make a financial mistake, their loved ones will think they’re no longer capable of managing their own affairs. And while cognitive decline is real, we can’t treat scam victimization as a litmus test for capability. People need to know it’s okay to make a mistake and ask for help.

Marike: Do you have a sense of the real demographics of identity theft victims? Is it all ages and backgrounds?

Eva: Oh my gosh—yes. You’re hitting on one of the things I constantly try to get across. I hear all the time: “Who’s most vulnerable? Seniors, right?” Or, “It’s Gen Alpha or Gen Z.” No—everybody is vulnerable. Just differently. It’s not about age—it’s how you engage with the world, especially digitally. If you look at the data from us, the FTC, IC3—any given year you’ll see a slightly higher reporting rate from one group, like 35–44-year-olds. That’s a fact. But the difference between age groups is maybe 1–2%. Aside from the very young and very old, we’re all pretty equally vulnerable.

Marike: Yeah, I’ve heard it said: it’s not if you’ll be scammed, but when.

Eva: Exactly. Everyone is being targeted. Even me—I’m not immune. Given the right set of circumstances, I could believe a scam. If it's from a vendor I know, I’m distracted, making dinner, talking to my kids, dog underfoot—it’s easy to miss something. I might click on a link. That doesn’t make me gullible. It makes me human.

Marike: Yes! Even people in cybersecurity have told me they’ve fallen for scams. We can have good habits, use software tools, and still fall for something.

Eva: There are those velociraptors again—testing the fence. We're the fence.

Marike: So is there one practice—or a couple of practices—you recommend? You talked about credit freezes. Is there anything else that everyone should be adopting right now to reduce their risk and secure their "fence" from identity theft?

Eva: There are a number of things people can do. I always encourage people to practice good identity and cyber hygiene. Think of it like maintaining your health—your doctor wouldn’t just say “brush your teeth” and leave it at that. They’d say: get enough sleep, eat right, exercise. It’s the same here. These small habits add up. Where do we start? The big three: First, freeze your credit, which we already talked about. Second, update your password game. Please use unique passwords across all of your accounts. Don’t use the same easy password. Use unique passwords that are 12 characters or longer. It can be a passphrase. Just don’t use a single dictionary word—it can be cracked in less than a second. If a password manager is intuitive to you, use one—even if you have to pay for it. For seniors, it’s okay to write them down, with some caveats. Don’t keep them in a Word doc or on your phone. Use a notepad in a secure place at home. That’s much better than using the same password across all your accounts. Third, enable MFA—multi-factor authentication. I have t-shirts that say “Enable MFA.” It’s that second step that sends you a one-time use token. Even if someone has your username and password, they still can’t get in. Whether it’s a text or an email code—never share it with anyone, no matter how legitimate they sound. That code is only for logging into your account. Better yet, enable passkeys where they’re offered. You don’t have to remember anything, and it reduces that vulnerability. It’s not a silver bullet, but it solves that issue very well.

Marike: Yeah, we hear that people can have upwards of 150 online accounts—retailers, ticketing, flights, hotels, email—and you want to keep those passwords updated due to breaches. That’s a lot to manage. If you don’t have a system or tool, it’s overwhelming. I think that’s why people default to reusing simple passwords they can remember.

Eva: There’s good news on that front. And the last item in our top three is MFA, like I mentioned. Enable it. That one-time use code—whether by text or email—adds a strong layer of protection. And again, don’t share it with anyone. Better yet, use passkeys. We’re seeing wide adoption, and I think it’s promising. It doesn’t solve every identity problem, but it solves that one very well.

Marike: That's wonderful advice. One thing I noticed about the ITRC is that you're also advocating for better policies. Would you like to see more collaboration between government bodies, nonprofits, or tech companies? What’s missing from the broader conversation?

Eva: We’d absolutely like to see more collaboration. I want to see NGOs and nonprofits working more closely with all stakeholders. Nonprofits fill the gaps between what government provides and what the private sector sells. There are great products out there—but if there were a business case to offer free identity recovery services, someone would have done it. It's not profitable. That’s why nonprofits exist. And the gap is becoming a chasm. I want to see more acknowledgment from government about how serious this problem is. Not just in prevention and detection—we’re involved in those conversations and want more of them—but also in recovery. Until we create a perfect system where no one is victimized, we need more robust recovery services. People need our services—and other services, like peer support. But many criminal justice programs won’t fund those unless the victimization was violent. That needs to change. We need to rethink both public and private policies to reduce victimization rates and mitigate the impact when it happens.

Marike: Okay—

Eva: —policies that ensure we reduce the number of victims and minimize the impact when someone is targeted.

Marike: We spoke to a member of law enforcement in our last session who said we shouldn’t treat victims of cybercrime any differently than a stabbing victim. One is physical, one is digital—but the fallout can be just as damaging.

Eva: Oh, I love him. I want to work with him! We actually do a lot of support programs for law enforcement. Our live chat is embedded on numerous local LEA and state websites—like the New Mexico Attorney General’s site. We get referrals from the FTC. We love working with law enforcement. They focus on their piece—investigation, finding the bad guy. That’s what they do, and I know that, because I used to do that. We focus on recovery. We have dozens of collaborative partnerships across the country. When law enforcement hands a victim a police report, they refer them to us so we can support them—because they don’t always have the resources to do that follow-up.

Marike: I'm sure they’re grateful you exist—and I know victims are too. You've been at the forefront of this fight for a long time. What keeps you personally motivated? Is there a success story that stands out?

Eva: I love our stories. One that stands out is a woman who was about to be scammed by a government and bank impersonator. She was about to move all the money from her 401(k)—hundreds of thousands of dollars. Her provider got suspicious and started putting up barriers, asking for more information. That slowed things down. She contacted us. We told her it was a scam. She’d been told not to trust her provider—it was supposedly an insider job. Very clever scam. But we convinced her otherwise. She never moved the money. She didn’t lose it. She came very close—but she didn’t lose it. That kind of story reminds us why we do what we do. But honestly, it’s not just one compelling story—it’s the hundreds of thousands of stories over the past 12 years. We just did our annual report—it’s nearly 2 million people we’ve helped in the last two years.

Marike: Massive numbers!

Eva: Exactly. And when I think about that—it’s what keeps me going. If not us, then who? I don’t know who would step in. I don’t want to leave that gap. This work has purpose. It’s also intellectually stimulating—because as much as I hate the bad guys, they are a crafty lot.

Marike: They keep us all on our toes. So, for those who want immediate help or want to learn more about preventing identity theft, what resource should they visit? Would you like to share your website so people can find support?

Eva: Sure. For those who want information, go to our website: idtheftcenter.org. That’s I-D-theftcenter-dot-org. If you need immediate help, you can live chat with us on the site—or call our toll-free number: 888-400-5530.

Marike: Eva, thank you so much for sharing your expertise. We really appreciate the important work the ITRC is doing to support identity theft victims and raise awareness. And thank you to our viewers for joining us. Stay tuned for our next session, where we’ll dive into more global perspectives on online safety.

Eva: Thanks, everybody. It was a pleasure.

Marike: Take care! Bye-bye.