Key findings: Identity crime continues to be of serious concern to a large number of Australians, with around two-thirds of survey respondents expressing concern about becoming a victim of identity crime in the next 12 months.
In addition to direct impacts on victims, identity crime appears to be a significant concern to Australians more broadly. Findings from recent surveys show that between one quarter and two thirds of respondents perceive identity crime to be a serious problem (see Figure 22).
In addition to the AIC and OAIC surveys mentioned above, Unisys has undertaken annual surveys since 2006 that gauge community concern about a range of security-related issues. Responses to the 2013 Unisys Security Index survey show that, across all of the issues canvassed—which included national security threats and serious health epidemics—the two issues that rated highest in terms of level of concern were:
unauthorised access to/misuse of personal information (62%)
other people obtaining/using credit card/debit card details (60%) (Unisys 2013).
Figure 22: Level of concern about identity crime and misuse, by survey
Source: OAIC 2013b; Unisys 2013; Smith & Hutchings 2014.
2.5 The types of personal information most susceptible to identity theft or misuse.
Key findings: The types of information most susceptible to identity theft include financial information (credit card numbers and bank account details) and other biographic information (name, date of birth). Passwords were also identified as vulnerable in around one in five cases of identity crime and misuse. Organisations that use this information to transact with their clients need to take adequate precautions to ensure that it remains protected.
For the most serious occasion of victimisation, the AIC Survey asked respondents about the types of personal identifying information (PII) that they perceived to be most at risk of misuse. Respondents believed that credit/debit card information was the most susceptible to misuse, followed by name and bank account information (see Figure 23).
Figure 23: Types of PII that respondents reported was misused in previous 12 months
Note: Data was weighted to reflect the distribution of the population across jurisdictions. There were 460 survey participants who answered this question, and respondents could select multiple types of personal information.
Source: Smith & Hutchings 2014.
Key findings: The total direct losses and associated costs of identity crime to government agencies are difficult to estimate, but they are likely in the order of several hundred million dollars each year. Where an agency invests additional effort and resources in detecting and investigating this activity, the amount of incidents detected is likely to increase considerably. Due to limited available data, it is difficult to accurately quantify the direct cost of identity crime and misuse to government agencies. However, it is possible to produce a range of estimates that are based on the average number of offences, associated losses, as well as prevention and remediation costs.
Cost of benefits fraud
Within the constraints of available Centrelink data, the overall value of identity frauds between 1992 and 2013 is shown in Figure 24. Analysis of the data reveals that over this 21 year period, there was an annual average of $8.9m worth of identity fraud detected by DHS.
Figure 24: Total value of identity fraud against DHS (Centrelink), by year, 1/07/1992 to 30/04/2013
* To 30 April 2013
Source: Department of Human Services—Centrelink
The 2003–04 Federal Budget committed funding to expand the specialist identity fraud investigation teams within DHS, including the development of Tactical Intelligence Analysts based in Sydney, Melbourne, Brisbane and Canberra. As a result, it can be seen in Figure 24 that between 2005 and 2009 there was a considerable spike in the value of identity fraud detected by DHS.
There are also detailed findings from an AIC study on welfare fraud in Australia which show that in 2008–09 there were 3,873 investigations conducted into possible identity frauds, with 166 referrals for prosecution, and $15.1 million in debts and savings (Prenzler 2012; 64). In general, the report observes that around 3,000 cases are prosecuted each year, representing about 0.04 percent of all Centrelink customers, with the losses in these cases adding up to approximately $40.5m per year and involving approximately $120.9m per year in gross savings and amounts targeted for recovery (Prenzler 2012; xii).
Case Study 9 (December 2005): Centrelink benefits fraud using fictitious identities
Over a six year period, a Queensland nurse created four adult identities and registered that these persons had given birth to nine sets of twins. These fabricated identities were then used to claim family assistance payments from Centrelink worth $622,000. The offender was charged with 10 counts of obtaining benefit by deception and was sentenced to seven years imprisonment.
Apart from the ATO that provided data on the number and value of income tax returns that were withheld due to identity crime in 2010–11 (6,427 returns worth $15m), no other government agency that participated in the pilot (either Australian or state and territory) was able to provide information about the costs to the agency of identity crime.
Estimated cost to investigate and prosecute identity crimes
Data presented in Table 4 shows the estimated annual direct costs to law enforcement agencies and criminal courts associated with investigating and prosecuting identity crimes. While there are variations in the time periods for which these figures apply, these estimates are based on the data available and are meant for indicative purposes only.
Table 4: Estimated annual direct costs of investigating and prosecuting identity crimes, by agency and year
These estimates are based on the assumption that a single identity crime case costs state courts and police $3,000 per incident; the mid-point between the ABS (2012) average loss per personal fraud incident ($2,000) and the direct out-of-pocket losses per incident ($4,101) reported in the AIC Survey (Smith & Hutchings 2014). While this rough estimate of investigation and prosecution costs is not ideal, without more reliable cost data provided by state courts and police, it is very difficult to determine whether this $3,000 incident cost estimate is too high, or too low. For more detail about how the individual costs in Table 4 were calculated, see Appendix D.
3.2 Direct costs of identity crime and misuse to business Key findings: Identity crime costs businesses at least $140 million each year. While the number of incidents has fluctuated, the financial impact of identity crime is consistently on the rise. This underscores the need for the private sector to play an active role in detecting and preventing identity crime.
Within the time and resources available during the pilot, it was not possible to engage private sector organisations about the cost of identity crime and misuse. Consequently, data for this indicator was sourced from recent KPMG surveys on fraud and misconduct affecting Australian and New Zealand businesses (KPMG 2009, 2010 & 2013) (see Figure 25). The surveys ask respondents about incidents occurring in the previous 24 month period.
The most recent survey obtained responses from 281 private sector organisations across a range of industries including: financial and insurance services; health care and social assistance; manufacturing, energy, gas and water providers; and construction, as well as several other key industries.
Data presented in Figure 25 shows that while the number of all recorded frauds has fluctuated, the total value of these frauds has consistently increased, from $301m in 2006–2008 to $373m in 2010–2012. Estimates of the cost of identity-related frauds to business can be calculated based on the range that between 25-50 percent of all frauds involve some form of identity crime. If this is the case, the cost of identity fraud to Australian and New Zealand business in 2010–2012 was at least $140 million. However, these cost estimates are based on the survey responses provided by only 281 organisations and, as such, the total identity crime costs to all private sector organisations are certainly going to be many times higher.
Figure 25: Number and value of frauds against Australian and New Zealand businesses,
by year (2006—2012)
Source: KPMG 2009, 2010 & 2013
Payment identity fraud
The Australian Payments Clearing Association (APCA) monitors payment systems in Australia’s financial sector, particularly non-cash transactions such as cheques, direct debit/credits, EFTPOS and ATM transactions as well as high value payments. The APCA publishes annual statistics on the number of fraudulent payments made in Australia (see Figure 26).
Figure 26: Value of credit card frauds, by fraud type and year (2005–06 to 2012–13)
Source: Australian Payments Clearing Association 2006–2013
Data presented in Figure 26 shows that the total value of credit card fraud is being driven upwards by card-not-present fraud (where a fraudulent transaction is made using only the credit card details and not the physical card). In 2005–06 there were just over $13 million worth of CNP frauds, while in 2012–13 the value reached over $82 million, an increase of 600 percent in just eight years.
It is difficult to estimate the proportion of these credit card frauds that are identity crime-related, as this category comprises a range of fraud methodologies. These include transactions on lost/stolen cards; frauds where a recently issued card has been intercepted and used before reaching the owner; fraudulent applications involving stolen, fabricated or manipulated identity information; counterfeit/skimming; card-not-present frauds; and other miscellaneous frauds—all of which could be conducted using cards held by individuals or organisations.
There is some debate as to whether credit card fraud should be considered as identity crime or rather classified as a type of financial fraud. This is in part because many victims of credit card fraud are reimbursed by financial institutions and so do not experience any significant impacts (although these costs may be passed on in other ways such as increased fees). However, as credit card fraud generally involves the use of the card holder’s name or other personal information, it has been included within the definition of identity crime for the purpose of the pilot. This view is supported by the results of the AIC Survey, which indicate that respondents thought that credit card details should be considered as personal information.
Case Study 10 (October 2011): Inter-agency investigation busts fake credit card syndicate Following a collaborative investigation between the Australian Federal Police, New South Wales Police Force, New South Wales Roads and Maritime Services, and Department of Immigration and Border Protection, a sophisticated fake credit card syndicate was busted. After raiding two properties in Sydney, police officers found 12,000 blank credit cards and hundreds of blank NSW driver licences in addition to equipment and computer files used to manufacture fraudulent documents. It is estimated that the fake credit cards could have been used to complete $30m in fraudulent transactions. Source: ABC News, 20 October, 2011
3.3 Direct financial losses to victims of identity crime and misuse
Key findings: The majority of identity victims lose relatively small amounts of money of up to $1,000, although in some cases losses can run to hundreds of thousands of dollars. A significant proportion of victims also experience demands on their time or other adverse impacts to their mental or physical health, reputations or general wellbeing.
The AIC Survey asked respondents about financial losses suffered as a result of misuse of their personal information. Of the 4,995 participants, 250 respondents (five percent or one in 20) reported losing money ranging between $1 and $310,000, with a median loss of $247 per victim (i.e. half the victims lost more than $247 and half lost less than that). The distribution of the financial losses that victims reported experiencing in the previous 12 months is presented in Figure 27. It can be seen that the vast majority of victims lost an amount less than $1,000.
Figure 27: Distribution of financial losses experienced by victims in the preceding 12 months
Source: Smith & Hutchings 2014
Survey respondents were also asked whether they were able to recover any losses or were reimbursed by banks or other organisations. Responses indicate that on average victims were able to recover $2,381 (although 45 percent did not recover any money), leaving an average out-of-pocket loss of $4,101 per victim (Smith & Hutchings 2014) (see Figure 28).
These findings are similar to those produced by the ABS (2012), which found that three in five personal fraud victims (60%) lost money at an average of $2,000 per person (median $300). Comparable data from the United States shows that two-thirds of identity theft victims (66%) reported a direct financial loss, at an average of $USD9,650 per victim (median $USD1,900) (Harrell & Langton 2013; 6).
3.4 Number of identity crime victims experiencing non-financial consequences
Key findings: In addition to financial losses, many victims of identity crime experience other mental and physical health impacts. The stress and frustration of trying to regain control of one’s identity information and financial reputation can also damage family and social relationships.
There are only a small number of studies that have sought to measure the non-monetary impact of identity crime victimisation, such as the emotional and psychological harm.
Results from the AIC Survey show that one in 10 victims (11%) experienced mental or emotional distress that required counselling or other treatment, while one in 17 (6%) were wrongly accused of a crime (i.e. the criminal who stolen the identity information used it to commit an offence for which the victim was accused) (Smith & Hutchings 2014).
It has been observed that ‘few people realise that identity theft may have long term, unexpected consequences which may significantly impact the life of the victim’ (Identity Theft Resource Centre 2010; 24). Indeed, an American survey conducted in 2008 found that the psychological trauma experienced by some identity crime victims was similar to that experienced by victims of violent crime (Van Vliet & Dicks 2010). Coming to terms with the fact that your identity has been stolen and used to commit crimes can be a very difficult situation for many victims to deal with, in that ‘the psychological distress caused by the crime itself is heightened when victims encounter difficulties clearing their name’ (Lawson 2011; 18).
Identity crime affects not only the individuals who are victimised, but can also have negative impacts on the victim’s friends and family. It has been shown that the stress and frustration of trying to regain control of one’s identity information and financial reputation can damage family and social relationships (Lawson 2011; 18). When identity information is stolen and used to commit other offences, the damage caused to the victim’s reputation can take years to repair (see Case Study 11).
Case Study 11 (September 2004): The non-financial consequences of identity theft A 46-year-old British man regularly shopped online from large well-known retailers. His credit card details were stolen and used by an offender in Jakarta, Indonesia to purchase child exploitation material. The victim was arrested by the British police as part of a criminal investigation into child exploitation. When his employer discovered that he had been arrested for allegedly downloading child exploitation material, he was dismissed from his job as a well-paid executive. His close friends and family refused to talk to him anymore. It took the victim almost four years to clear his name and repair the damage to his reputation. Source: BBC UK, 3 April, 2008