Identity theft

Identity theft is when someone tries to steal and use your personally identifiable information to defraud or harm you. This information, or ‘data’, is anything that helps to identify who you are or how to find you.

Many businesses need your personally identifiable information for legitimate communication. However, this is not always the case and some of your information may be misused by criminals or used inappropriately by marketers.

On this page:

This page offers general advice for adults. Tailored advice is also available for young people and for anyone experiencing online abuse as part of domestic and family violence.

What is personally identifiable information?

Personally identifiable information is any information, or ‘data’, that helps to identify a person or how to find that person. The personally identifiable information may include your:

  • full name
  • address
  • phone numbers
  • school
  • date of birth
  • email address
  • location check-ins
  • event RSVPs
  • photos
  • usernames, passwords and passphrases
  • bank account details.
     

What is identity theft?

Identity theft is when someone tries to steal your personally identifiable information in order to defraud you of money.

It is important to be careful about the amount of personally identifiable information you disclose online. Your information from different online services could be pieced together and used to access your accounts or create others in your name.

Who wants my personally identifiable information?

Many online platforms ask users to provide some personally identifiable information to use their service. Before you give any information, you should think about what can be done with your personally identifiable information and assess whether you are still happy to pass on these details. 

Some online activities that may require a level of disclosure of personal information include:

  • Shopping. When online shopping, details are sometimes needed to verify the identity of the purchaser, to process payments or for the delivery of goods.
  • Subscribing or registering to a mailing list. Creating a screen name or ID and giving an email address are usually minimum requirements when you subscribe or register to a mailing list. Other information might also be requested like your age, gender, address, photo and personal likes or dislikes. Think about whether this information is needed for what you’re signing up for. Remember that an asterisk (*) generally means these are required fields you need to fill out to register.
  • Competitions, prizes and rewards. Your personal data could be used by marketers to promote products and services, including personal interests and demographic details.
  • Online games and virtual worlds. Sometimes before users can begin to play, they might be asked to register their details or a new account. 

WARNING: When giving out any personally identifiable information, it’s important to be aware of how this information might be used inappropriately.

 

Scammers could set up fake accounts in your name or try to steal money from your bank account.

 

Bullies and abusers could pose as you and share something embarrassing on your social media accounts.

 

Doxers might share your street address and name with people who want to harm or scare you.

 

Sharing personally identifiable information online can have an impact on your life now or in the future, and sometimes, might even be permanent. You may not always have control over who sees or accesses your personal information.

 

Find out more on our page about how to manage your digital reputation.

How can I protect my personally identifiable information?

Set up multi-factor authentication and have strong passphrases

Multi-factor authentication (also known as 2-step authentication) adds an extra layer of security to accessing your information that only you can manage. This means that when you log into an account with your password, you might be asked to do an extra step to confirm that it’s you – like enter a number from a text message or even a fingerprint.

If you can’t set up multi-factor authentication, your next best option is to set up a passphrase – this is a password that is made up of four or more random words. Make sure it is something you can remember but others can’t guess, like BlueChocololate#239TriumphFi$h. 

Try thinking of a different passphrase for each of your accounts. A password manager app or your computer or phone can also help you create and remember complex passwords that are hard for others to guess or hack. 

When creating passwords or passphrases there are some definite dos and don’ts.

Password dos

Use between 12 and 20 characters, with a mix of letters and numbers – longer passwords are stronger.

Use a combination of words that aren’t predictable but that you can remember.

Use multi-factor authentication on accounts containing personally identifiable information.

Password don'ts

Don't use words that are personal to you like pet names, birthdates, family or friends’ names, favourite foods, colours or singers in your new passwords.

Don't use a predictable combination of words, like 'ilovehiking', a context specific word, like ‘google’, or repeated sequential characters, like ‘aaaaaa’ or ‘123456’.

Avoid famous quotations that might be easy to guess.

Don't store them on your device, unless it’s via a password manager which stores them in an encrypted database.

Remember: Never share your passwords or passphrases with anyone else.

Watch our videos on how to set up strong passwords on this page for a step-by-step guide.

Learn more about multi-factor authentication and passphrases at cyber.gov.au/learn/passphrases.
 

Check for regular updates and back up your devices

Hackers, scammers and cyber criminals can break into your devices if there are unpatched weaknesses in the system or apps. It’s important to update your devices with the latest software to make sure these security weaknesses are fixed. If you have antivirus installed on your devices, make sure to also check for regular updates from the software provider. 

It’s also good to keep a digital copy of important information, including personally identifiable information. Saving backups of important files – like photos, documents and videos – to an external storage device or the cloud can help restore information if something goes wrong.

Find out more about updating your device and creating backups.

Connect to secure wi-fi networks

Scammers and cyber criminals have the chance to access your personally identifiable information through ‘free’ wi-fi hotspots in public places, such as airports, cafes and libraries. When you need to access important accounts or send sensitive information, connect to a trusted internet connection, such as at home, at work or by using your own mobile data if it’s available.

Be aware of other threats like ransomware, phishing emails and texts where your personally identifiable information might be at risk of being shared or accessed by more people than just you.

You can check services like haveibeenpwned.com to find out whether a site or app you use has had a data breach (when your information that is meant to be secure has been revealed to others or stolen). If this has happened, change your passwords or passphrases straight away.

For more information about public wi-fi hotspots and other common cyber security threats, visit cyber.gov.au/learn/threats.

Double check any website or app asking you for your personally identifiable information

Some websites and apps are built by scammers and are designed to collect people’s personally identifiable information, so they can hack your accounts or steal your money. If it looks dodgy, don’t hand over any personal information. Here are some quick tips for identifying dodgy sites and apps:

  • Check that the URL for a website is the main URL you normally use to access that site.
  • A padlock beside a site name in the address bar or a URL that starts with ‘https’ instead of ‘http’ can mean a site is more secure than other sites.
  • Check that the branding is accurate – that it appears the same across all platforms, the logo is not blurred and the spelling is correct.
  • Check your app store for reviews of apps before you download them. If there are lots of users and good reviews, it’s unlikely to be a scam. If there aren’t any reviews, do an online search – scams usually get identified fairly quickly and people often post online about them.
  • Check out Scamwatch and Stay Smart Online.

Report and be aware of scams

Is an app, email or text asking you to input lots of personal information or provide your login details for any social media accounts? If so, it’s likely to be a scam. 

Being alert to a scam message can help you protect yourself online. If you’re unsure whether the message you’ve received is a scam or not, go directly to a source you can trust (for example, a bank’s website). From here, you can check what details they might ask from you if they need to confirm any details about you or your account. 

Make sure not to click on any links, open attachments or reply to the scam message – this might be a way for the scammer to trick you into sending your personally identifiable information. If something sounds too good to be true, it’s probably a scam.

If in doubt about the legitimacy of a website, call the organisation it claims to represent. The Scamwatch website provides further advice on how to identify and report potential scams.

Bonus tip: Banking institutions will never email or message people asking for their username or password. If you receive an email by an organisation claiming to represent a banking institution, report the email to the bank and Scamwatch. Do not respond and do not click on any links provided.

For more information about scams, visit cyber.gov.au/learn/scams.

    Check your settings

    The big social media sites and other apps that most people trust with their information offer privacy controls, so make sure you use them. Every once in a while, check your settings and see if you’re OK with how your data is being used or how much information you’re sharing with other people, including potential advertisers. If you’re not happy, change it up! For more info about privacy settings see The eSafety Guide.

    On an iPhone you can go to Settings > Privacy to check which tracking and advertising options are active and which ones you would like to limit. For an Android phone, go to Settings > Privacy and find the Ads section to opt in or out of the ad preferences. Although this may not limit the amount of ads you see, it will make them less personally targeted, if that’s what you prefer. 

    Different apps and online platforms have their own tracking and advertising settings you can manage and change as well, such as Facebook, Instagram, TikTok, Twitter, Snapchat and YouTube. Check out The eSafety Guide for more information. 

    You can also reduce the amount of spam you receive by:

    • limiting disclosure of email addresses and mobile numbers
    • installing and using spam filtering software
    • checking the terms and conditions when buying products, entering competitions or registering for services or email newsletters
    • not allowing contact details to be used for marketing purposes (making sure you check the opt out box).

    Delete cookies

    Cookies are small text files storing information about your browsing activity, allowing websites to recognise you and save your settings. There are different types of cookies, such as ‘session cookies’ that last for one browsing session, and ‘persistent cookies’ that remain on your device after you close your browser. Although there are other ways you can be tracked online, deleting your cookies will limit some access.

    To delete cookies, go to the settings within your browser and look for a section that allows you to ‘manage cookies’.

    Log out of social media sites and emails when you browse the web

    Another simple strategy is to log out of your social media sites and email accounts while you are doing other things online. That means actually logging out, not just closing the tab. This won't stop you from being tracked online, but it will make it harder for these services to link your behaviour with your name or details of your previous browsing history and social media footprint.

    Avoid using social media accounts to sign in

    If you can avoid using your social media accounts to sign into other apps or accounts, this will reduce the information the new app or account has access to. When you use your social media account to sign into other apps or online accounts you are often agreeing that this new account is allowed to have access to all the information you share in your other account.

    Use private or incognito mode

    Most browsers give you an option to browse the web privately or use ‘incognito’ mode. This means that the history of any sites you visit and any cookies from sites you go to won’t be stored in your browser. 

    Bonus tip: Ever noticed how prices seem to go up on flights and hotels the second time you visit a site? This is because the site uses cookies and tracking to set the pricing. If you use private browsing or ‘incognito’ mode its harder for companies to use their algorithms to artificially inflate prices.

    Think about what personal information is really needed 

    When signing up for things or registering an account, if the information is required (or ‘mandatory’), usually the category will have an asterisk. The categories without an asterisk can be left blank. Don’t pass on your personal information unnecessarily. Even the most trusted sites tend to ask for more than they really need.

    You can also read user agreements and privacy policies. Many organisations use information for marketing purposes and may sell it to other marketing firms. If you do post information on a website that sells information to marketers, you may receive promotional spam emails which can be difficult to stop.

    What should I do if my personally identifiable information is misused or stolen?

    Stay calm

    First things first: if your data has been misused or stolen, understand that it’s not your fault. The person who used your information without your consent is the one who did the wrong thing.

    Log yourself out of your accounts on all devices

    This will log everyone out – including the person who’s using your information.

    Change the passphrases on your accounts

    Right after you log out of your accounts, log in on a safe device and update your passphrase to something new and secure.

    Check your accounts for any suspicious activity

    Check to see if anything has changed or seems out of place. Hackers and scammers may not take advantage of your personally identifiable information straight away. Keeping an eye out for suspicious transactions, emails or other forms of contact can help you understand if and how your information is being misused. 

    Screenshot and report online abuse

    This is important if someone has created a fake account in your name, or a hacker has leaked your personally identifiable information (called ‘doxing’). The eSafety Guide has information about how to do this on different sites and apps. If a hacker has leaked your intimate images or videos, this is called image-based abuse and should be reported to eSafety straight away.

    Report cybercrimes

    Identity theft or fraud can be reported to the Australian Cyber Security Centre (ACSC).

    Australia and New Zealand’s National Identity Support Service IDCARE can help you deal with the consequences of identity theft. IDCARE’s services are free to the community and its expertise lies in supporting people and organisations when personally identifiable information has been put at risk.

    If it was part of a scam, Scamwatch can also help you.

    Get help and support

    If you’re really concerned about what’s happened or you’re feeling a little out of your depth, talk with a friend, family member or someone else you trust. You may feel like you should be able to handle it yourself but talking to someone can make it easier to decide what to do and deal with the impact. You can also seek help from a confidential counselling or support service.
     

    VIDEOS: How to set strong passwords and set up multi-factor authentication

    Changing passwords on a Windows based machine

    Changing Passwords on Macs

    Audio

    Effective passwords keep emails and online accounts protected and secure.
    Passwords should be hard to guess, and there should be a different password used for each important account.

    The best passwords are at least 12-15 characters long. 
    To make them easier to remember, passwords can be made into a sentence. 
    For example, #sandytoesinhawaii7 is easier to remember than a series of random numbers and letters. 
    Adding symbols and numbers makes it harder to guess.
    No-one should use words that are associated with them, that could be easy to guess. 
    For example, don’t use the names of children or pets, or birthdays.

    Users should not allow browsers to remember passwords. 
    While it is faster to have passwords automatically filled-in, it means anyone using the same device can have instant access to these accounts if they know the user name.

    Users should Log out every time they have finished using a website or app, or other online service.
    If a User doesn’t log out, their account remains open which means others with device access can also access the account.
    The browser window should also be closed after using a website or other online service.

    If a user thinks their device is being monitored by a perpetrator, they should regularly change the username and passwords of the important accounts they access, using a safe device to do so.

    Passwords should not be shared with anyone else, including children if an abusive current or ex-partner is in contact with them.

    How to make effective passwords if you are at risk of tech-facilitated abuse

    Two Factor Authentication