Identity theft is becoming an increasingly common cybercrime as malicious actors used advanced technologies to target the personal and private information of individuals. According to the Australian Bureau of Statistics, an estimated 0.8% of Australians aged 15 years and over (154,300) experienced identity theft in 2020-21.
While it is important for people in all age groups to be aware of identity theft, young people are most often the victims of this crime. Persons aged 25 to 34 are most likely to experience identity theft (1.0% or 33,700 persons in that age group) whilst persons aged 55 years and over are the least likely (0.4% or 25,900 persons in that age group).
What is identity theft?
A cybercriminal commits identity theft if they access another individual’s personal information without their consent, to gain benefits or steal money. The type of personal information accessed can include:
- Personal details such as your full name, date of birth and place of birth and current residential address.
- Information regarding bank accounts and bank cards including debit and credit cards.
- Information regarding licences and other forms of ID cards.
- Your government information such as tax file number and Medicare number.
- Your login credentials to online accounts including email accounts, accounts with your employer, streaming services etc.
Once this information is accessed, the cybercriminal may:
- Use that information to transfer money from your account to themselves.
- Apply for credit or loans under your name and leave you with the debt.
- Steal sensitive and confidential information such as employer’s files.
- Steal your tax refund or Medicare benefits.
Common methods of identity theft
Identity theft may be perpetrated using various methods, which typically involve the use of technology:
- Phishing – the individual is tricked into providing their personal information through scam emails in which the cybercriminal pretends to be a reputable company such as a bank and asks for credit card details.
- Hacking – the criminal gains access to the individual’s information (which may include a government or business account) by exploiting security weaknesses on their computer, mobile device or network.
- Remote access scams – the individual is tricked into giving access to their computer and paying for a service they don’t need. The criminal may impersonate a reputable IT company and state that the individual has a virus in their system.
- Malware & ransomware – malware is a virus that tricks the user into installing software that allows cybercriminals to access the user’s files and track what they are doing, while ransomware is a virus software that demands payment to “unlock” the user’s computer or files.
- Fake online profiles – the cybercriminal sets up a fake profile on a social media platform such as Facebook or a dating site and attempts to gain the trust of someone and then exploit them for financial gain.
- Data breaches – the criminal obtains the individual’s data through accidental data breaches of business or government accounts. The person may not even be aware that some of their information has been obtained by scammers.
- Traditional document theft – the cybercriminal gains access to the individual’s private information through traditional means of theft, by physically stealing documents through unlocked mailboxes or discarded personal documents such as utility bills, insurance renewals or health care records.
Australian identity theft laws and penalties
The Criminal Code Act 1995 (Cth) at Part 9.5 criminalises identity theft in Australia.
Section | Offence | Maximum penalty |
372.1 Dealing in identification information
|
(1) A person (the first person) commits an offence if:
(a) the first person deals in identification information; and (b) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and (c) the offence referred to in paragraph (b) is: (i) an indictable offence against a law of the Commonwealth; or (ii) a foreign indictable offence. |
5 years imprisonment |
372.1A Dealing in identification information that involves use of a carriage service
(Dealing in identification information using a carriage service) |
(1) A person (the first person) commits an offence if:
(a) the first person deals in identification information; and (b) the first person does so using a carriage service; and (c) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and (d) the offence referred to in paragraph (c) is: (i) an indictable offence against a law of the Commonwealth; or (ii) an indictable offence against a law of a State or Territory; or (iii) a foreign indictable offence. |
5 years imprisonment |
372.1A Dealing in identification information that involves use of a carriage service
(Dealing in identification information obtained using a carriage service) |
(1) A person (the first person) commits an offence if:
(a) the first person obtains identification information; and (b) the first person does so using a carriage service; and (c) the first person deals in the identification information; and (d) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and (e) the offence referred to in paragraph (d) is: (i) an indictable offence against a law of the Commonwealth; or (ii) an indictable offence against a law of a State or Territory; or (iii) a foreign indictable offence. |
5 years imprisonment |
372.2 Possession of identification information | (1) A person (the first person) commits an offence if:
(a) the first person possesses identification information; and (b) the first person intends that any person (whether or not the first person) will use the identification information to engage in conduct; and (c) the conduct referred to in paragraph (b) constitutes an offence against section 372.1 or subsection 372.1A(1) or (3). |
3 years imprisonment |
372.3 Possession of equipment used to make identification documentation | (1) A person (the first person) commits an offence if:
(a) the first person possesses equipment; and (b) the first person intends that any person (whether or not the first person) will use the equipment to make identification documentation; and (c) the first person intends that any person (whether or not referred to in paragraph (b)) will use the identification documentation to engage in conduct; and (d) the conduct referred to in paragraph (c) constitutes an offence against section 372.1 or subsection 372.1A(1) or (3). |
3 years imprisonment |
It is not an offence to attempt to commit any of these offences.
These offences criminalise an individual using stolen identification information to commit a serious offence such as theft, fraud or extortion. For example, if a cybercriminal logs into a victim’s bank account using their identification information and steals money from the account, the cybercriminal will be in breach of section 372.1 as they “dealt with” identification information with the purpose of committing theft.
Under section 370.1 of Part 9.5, the Criminal Code Act defines identification information as “information, or a document, relating to a person (whether living, dead, real or fictitious) that is capable of being used (whether alone or in conjunction with other information or documents) to identify or purportedly identify the person, including any of the following:
- Name or address.
- Date or place of birth, whether the person is married or has a de facto partner, relatives’ identity or similar information.
- Driver’s licence or driver’s licence number.
- Passport or passport number.
- Biometric data.
- Voice print.
- Credit or debit card, its number, or data stored or encrypted on it.
- Financial account number, user name or password.
- Digital signature.
- Series of numbers or letters (or both) intended for use as a means of personal identification.
- ABN.
NSW identity theft laws and penalties
The Crimes Act 1900 (NSW) criminalises identity theft through three primary offences:
Section | Offence | Maximum penalty |
192J Dealing with identification information | A person who deals in identification information with the intention of committing, or of facilitating the commission of, an indictable offence is guilty of an offence. | 10 years imprisonment |
192K Possession of identification information | A person who possesses identification information with the intention of committing, or of facilitating the commission of, an indictable offence is guilty of an offence. | 7 years imprisonment |
192L Possession of equipment etc to make identification documents or things
|
A person who:
(a) possesses any equipment, material or other thing that is capable of being used to make a document or other thing containing identification information, and (b) intends that the document or other thing made will be used to commit, or to facilitate the commission of, an indictable offence, is guilty of an offence. |
3 years imprisonment |
The NSW offences also criminalise an individual using stolen identification information to commit a serious offence such as theft, fraud or extortion.
The Crimes Act definition of identification information is the same as the definition under the Criminal Code Act.
What the prosecution must prove
For offences under both Commonwealth and NSW laws, the prosecution must generally prove beyond a reasonable doubt:
- The accused dealt with identification information,
- The accused intended for the identification information to be used for committing or facilitating the commission;
- Of an indictable offence in Australia or overseas by the accused or another person.
For offences involving a carriage service, the prosecution must prove that the accused used or obtained information through a carriage service (such as a phone, mobile device or computer).
The Criminal Code Act defines dealing with identification information to include making, supplying or using any such information.
It is not an offence to attempt to commit these offences under both the Commonwealth and NSW laws.
Possible defences
Possible defences to identity theft include:
- Did not deal with identification information.
- The identification information is the accused’s own information.
- Legitimate reason to deal with the information. Consent of the individual is not a legitimate reason.
- Did not have intention to commit or facilitate the offence.
For offences involving a carriage service, a potential defence is establishing that the accused did not use or obtain information through a carriage service (such as a phone, mobile device or computer).
How to report identity theft in Australia
If you are a victim of identity theft, you should immediately contact the police on 131 444 for advice and assistance. You should also contact your financial institution/s and any relevant online platforms that you use such as social media accounts.
After you report the incident to the police, ask for a police report or reference number so you have evidence that you reported the issue.
Contact IDCARE, a free service for Australian residents that will work with you to develop a plan to limit the damage of identity theft, on 1800 595 160.
How to prevent identity theft
You can take several steps to ensure you are protected from identity theft. Some steps include:
- Secure your mail, for example put a lock on your mailbox. If you are expecting and do not receive important mail such as ID cards, follow up with the relevant institution or government agency to ensure it is still on the way.
- Use public computers and internet services with caution. Cybercriminals may set up fake free WiFi spots to hack into your phone or laptop.
- Use strong and unique passwords for your accounts. Write these passwords down instead of saving them on your device. Frequently change the passwords.
- Frequently review your bank statements and credit card statements to check for any suspicious withdrawals.
- Shred documents containing personal information before disposing of them.
- Review credit reports annually to check for any suspicious loans or financial activity under your name.
- Install antivirus software.
- Do not give out personal information or sensitive information to unsolicited telephone callers or emails. Banks and other institutions will never ask for these details through calls or emails.
- Do not interact with people you don’t know on social media. Block and report them if they ask for suspicious information.
- Be wary of posting personal information on social media.
Identity theft case examples
- In 2020, NSW Police arrested a man who obtained $11 million through a fraud ring which stole the personal information of more than 80 people and used it to modify payroll data, superannuation details and credit card records. The arrested man had been in possession of a raft of stolen personal information including driver’s licences, passports and tax file numbers. The man pleaded guilty to financial fraud and identity fraud offences and has been sentenced to 11 years in prison.
- A registered National Disability Insurance Scheme (NDIS) services provider accessed the accounts of 230 Scheme participants between June and August 2018. The provider then made 392 requests for payment from the NDIS for services that he did not provide. He pleaded guilty to defrauding the NDIS of more than $370,000 and attempting to obtain a further amount of more than $85,000. The man was sentenced to four years in prison.
How can we help?
Nyman Gibson Miralis provides expert advice and representation to individuals charged with identity theft.
Contact us if you require assistance.