BOSTON – If some of the numbers being cited about identity theft are to be believed, it's just a matter of time before some unseen cyberhustler steals your name, empties your bank account and wrecks your financial reputation. You can almost hear the maniacal laughter.
By some measures, one in five Americans has been hit. Another common statistic is that 10 million people fall victim every year.
Making matters even scarier, new laws in California and other states have forced companies to essentially tell all U.S. consumers when their personal data have been compromised — even if the files have not actually been maliciously used.
In response, Congress is considering bills to restrict the flow of personal information. And identity theft monitoring services have sprung up that can cost consumers well over $100 a year.
But while it's certainly important to be vigilant against this potentially devastating crime, it also appears identity theft is too broadly defined and often misunderstood.
As a result, some experts say, lawmakers and companies might be misdirecting their anti-fraud energies. Overly fearful consumers could be unecessarily avoiding doing business on the Web.
Too often overlooked, many analysts argue, are savvy "synthetic" fraud schemes that frequently don't directly victimize individual consumers.
In such schemes, criminals invent fictitious identities and use them to ring up phony charges. By some estimates, this accounts for three-quarters of the money stolen by identity crooks.
"There's a lot of fraud that is not being identified as fraud, not being measured accurately," said Anne Wallace, executive director of the Identity Theft Assistance Center, an industry-funded group that helps victims resolve fraud problems for free. "It's written off as bad debt. It's bad debt because the guy didn't exist."
To understand the risks we really face, it's worth analyzing the statistics.
Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. But what exactly is identity theft?
The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone's "means of identification" — including a credit card. So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.
Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn't force anyone to hide in a cave.
Federal law caps our personal liability at $50, and even that amount is often waived. That's why surveys have found that about two-thirds of people classified as identity theft victims end up paying nothing out of their own pockets.
The more pernicious versions of identity theft, in which fraudsters use someone else's name to open lines of credit or obtain government documents, are much rarer.
Consider a February survey for insurer Chubb Corp. of 1,866 people nationwide. Nearly 21 percent said they had been an identity theft victim in the previous year.
But when the questioners asked about specific circumstances — and broadened the time frame beyond just the previous year — the percentages diminished. About 12 percent said a collection agency had demanded payment for purchases they hadn't made. Some 8 percent said fraudulent checks had been drawn against their accounts.
In both cases, the survey didn't ask whether a faulty memory or a family member — rather than a shadowy criminal — turned out to be to be the culprit.
It wouldn't be uncommon. In a 2005 study by Synovate, a research firm, half of victims who determined who was to blame pinned it on relatives, friends, neighbors or in-home employees.
When Chubb's report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent — one in 41 people — said yes.
So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services? That statistic, which would amount to about one in 22 adults, also might not be what it seems.
Both totals include misuse of existing credit cards.
Subtracting that, the identity theft numbers were still high but not as frightful: The FTC report determined that fraudsters had opened new accounts or committed similar misdeeds in the names of 3.2 million Americans in the previous year.
The average victim lost $1,180 and wasted 60 hours trying to resolve the problem. Clearly, it's no picnic.
But there was one intriguing nugget deep in the report.
Some 38 percent of identity theft victims said they hadn't bothered to notify anyone — not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.
Perhaps some people decide that raising a stink over a wrongful charge isn't worth the trouble. Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues.
"That's not identity theft," he said. "I'm just confident if you saw a charge that wasn't yours, you'd contact somebody."
Now, you might say, who cares if statistics are inflated or misleading?
After all, identity theft remains widespread even by conservative measurements. And companies that handle our personal information still could go to greater lengths to protect it — often simply by encrypting their files.
For one thing, she believes it confuses people trying to determine their level of risk.
That could lead many consumers to unnecessarily shy away from Internet commerce, or drive them into the arms of costly protection vendors instead of making regular scans of their credit reports — a process that is now free.
Cheney also believes the muddled definitions make it harder for financial firms to assess their countermeasures and trickier for law enforcement to monitor trends.
It also could throw lawmakers off course as they consider solutions.
For example, several identity theft measures pending in Congress are focused on curtailing the use and transfer of personal data.
But companies that scan for the manipulations employed by "synthetic" fraudsters have said some proposals — such as restrictions on the dissemination of Social Security numbers — actually might inhibit their work.
The bills also don't appear to address loopholes in the credit system that let synthetic fraud flourish.
"It may be a big problem, but it's not the big problem that policymakers and legislators are talking about right now," Cate said. "We're tilting at the wrong windmill."