How Identity Theft Actually Happens in Australia — And How to Stop It

Identity theft in Australia is significantly underreported. The Australian Bureau of Statistics estimates around 1 in 20 Australians have experienced identity theft, with victims spending an average of 170 hours over several years resolving the consequences. Unlike a stolen credit card which can be cancelled in minutes, a stolen identity can take years to fully resolve — because the underlying personal information cannot be changed.

How Your Identity Gets Stolen

The most common methods in 2025-2026 are data breaches from companies that hold your personal information — Optus, Medibank and Latitude Finance collectively exposed the personal data of tens of millions of Australians in recent years. Phishing attacks that trick you into providing your details directly on fake websites. Malware that captures information entered on your devices. Mail theft targeting people who still receive financial statements, tax documents, and government correspondence by post. And synthetic identity fraud, where criminals combine real elements of your identity with fabricated information to create a new fraudulent profile.

What Criminals Do With a Stolen Identity

With your name, date of birth, and government ID numbers, criminals can open credit cards and personal loans in your name. File fraudulent tax returns to redirect your refund. Take over existing financial accounts by answering security questions. Apply for government benefits. Or sell your identity on criminal markets — where a complete Australian identity package with driver's licence, Medicare number, and financial details can sell for $500 to $2,000.

How to Find Out If Your Identity Has Been Stolen

Signs of identity theft include: unexpected bills or debt collection notices for accounts you did not open; credit card or loan applications being rejected for no apparent reason (suggesting your credit file has been impacted); unexplained withdrawals from your accounts; notifications of accounts or transactions you did not initiate; or discovering accounts in your name that you did not open when checking your credit report. You are entitled to a free credit report from the major credit reporting agencies — Equifax, Experian, and illion — which will show any credit enquiries or accounts in your name.

How to Protect Yourself

Use strong, unique passwords for every online account — a password manager makes this practical. Enable multi-factor authentication on email, banking, myGov, and any account that holds financial information. Be extremely cautious about what personal information you share online and in response to unsolicited contact. Shred physical documents containing personal information rather than putting them in recycling. And check your credit report at least once per year.

If You Are a Victim

Contact IDCARE (idcare.org or 1800 595 160) — the national identity and cyber support service — for specialised, free assistance. Contact each financial institution involved. Consider placing a credit ban on your credit file, which prevents new credit being issued in your name without additional verification. Report to the OAIC if your information was exposed in a data breach. And document everything — date, time, who you spoke to, what was resolved — because identity theft resolution is a long process that benefits significantly from detailed records.

Placing a Credit Ban

If you believe your identity has been compromised, consider placing a ban on your credit file. A credit ban prevents any new credit applications from being processed in your name without additional verification — it does not affect your existing accounts or ability to use current credit. You can place a ban with each of the three credit reporting bodies: Equifax (1300 762 207), Experian (1300 783 684), and illion (1300 734 806). The initial ban lasts for 21 days and can be extended. During a ban, if someone attempts to apply for credit in your name, the credit provider is required to contact you directly to verify the application before proceeding.

Prevention Through Information Minimisation

One of the most effective long-term protections against identity theft is being thoughtful about what personal information you share and where it is stored. Consider whether each piece of personal information you provide is genuinely necessary — do loyalty programs need your date of birth? Does a competition entry need your address? Minimising the personal information you share reduces the amount of data that can be stolen in a breach or used in a social engineering attack. In the digital context, review the privacy settings on social media accounts — the combination of your full name, date of birth, suburb, and workplace that many people share publicly provides much of the information needed for identity fraud. IntrusionX provides personal security consultations for Melbourne individuals and families — contact us for support.