Identity Theft: How Older Adults Can Protect Themselves and Respond If It Happens

What Identity Theft Actually Means

Identity theft occurs when someone obtains enough of your personal information to use it fraudulently, typically to open financial accounts, take out credit, make purchases, or claim benefits in your name. The consequences can include significant financial losses, damage to your credit rating, debt collection activity for debts you never incurred, and a resolution process that can take months or even years.

Older adults are targeted disproportionately by identity thieves for several reasons. They are more likely to have substantial savings, a good credit history, and regular income through pensions. They may be less familiar with some of the digital channels through which personal information is harvested. And they are more likely to have regular correspondence through post, which remains one of the most common sources of information for identity thieves.

The good news is that the practical steps needed to significantly reduce your risk of identity theft are straightforward. This guide covers what thieves actually need to steal your identity, where they get it, and what you can do about each of those sources.

What Information Thieves Need

Identity thieves need to assemble a picture of who you are that is convincing enough to pass the verification checks used by banks, lenders, and service providers. The key pieces of information are: your full name, date of birth, current address, and National Insurance number. With just these four pieces of information, a fraudster can make a significant number of fraudulent applications.

Additional information that makes fraud easier includes previous addresses, your bank account details, your mother's maiden name (commonly used as a security question), your passport number or driving licence number, and your email address and associated passwords.

The most damaging situations are those where thieves access multiple pieces of this information from a single source, which is why data breaches at organisations holding your personal data are so significant. But thieves also piece together information from multiple smaller sources, which is why the habit of protecting each piece of information matters even when the individual disclosure seems minor.

How Thieves Get Your Information

Post theft and bin searches remain significant sources of personal information for identity thieves. Your name and address are on most correspondence. Bank statements include account details. Letters from HMRC include your National Insurance number. Shredding all documents that include personal information before disposing of them is therefore a genuinely important protective habit, not a paranoid one.

Phishing emails are designed to trick recipients into revealing personal information by impersonating trusted organisations such as banks, HMRC, the NHS, or parcel delivery services. These emails have become increasingly sophisticated and are sometimes very difficult to distinguish from genuine correspondence. They typically create urgency (your account has been compromised, a parcel is waiting, you are owed a refund) and direct you to a fake website that captures whatever you enter.

Phone scams, known as vishing, involve callers impersonating banks, government agencies, or other trusted organisations. They may already know some of your information (often from data that has been purchased or harvested) which makes them seem credible. The rule for phone calls is that you should never give out personal or financial information to an incoming caller, regardless of who they say they are. Legitimate organisations do not ask for this information by phone. Hang up and call the organisation back on a number you find independently.

Data breaches at companies you have an account with are outside your direct control, but being aware of breaches affecting organisations you use allows you to change passwords and monitor your accounts proactively. Services like Have I Been Pwned (haveibeenpwned.com) allow you to check whether your email address has appeared in known data breaches.

Checking Your Credit File

One of the most effective early warning systems for identity theft is checking your credit file regularly. Your credit file shows all credit applications and accounts associated with your name and address. A fraudulent application in your name will appear here, often before you are aware anything has happened.

You are legally entitled to access your credit file for free through the UK's three main credit reference agencies: Equifax, Experian, and TransUnion. Each may hold slightly different information, so it is worth checking all three. Alternatively, services like Clearscore and Credit Karma provide ongoing free access to your credit information and alert you to changes.

Look for any credit applications or accounts that you do not recognise. If you find something unexpected, contact the credit reference agency and the organisation concerned immediately. Report identity theft to Action Fraud (0300 123 2040 or actionfraud.police.uk), which is the UK's national reporting centre for fraud and cybercrime.

Protecting Your Accounts

Strong, unique passwords for online accounts are one of the most important protections against your accounts being accessed without your permission. A strong password is at least twelve characters long and uses a combination of letters, numbers, and symbols. A unique password means a different one for every account, so that if one is compromised, the others are not automatically at risk.

A password manager is an application that stores all your passwords securely so you only need to remember one master password. Reputable options include Bitwarden (free), LastPass, and 1Password. Setting these up requires some initial effort but makes using strong, unique passwords practical for people who would otherwise struggle to remember them.

Two-factor authentication (2FA) adds a second layer of protection to online accounts by requiring a code sent to your phone or generated by an authentication app, in addition to your password. Enable it on all accounts that offer it, particularly your email and banking accounts. Your email account is particularly important: if a thief gains access to your email, they can use the password reset function to access almost every other account associated with that email address.

What to Do If You Are a Victim

If you discover that your identity has been stolen, act quickly. Contact your bank immediately if financial accounts are involved. Report to Action Fraud. Place a notice of correction or protective registration on your credit file through the credit reference agencies; this flags to lenders that identity fraud is suspected and prompts additional checks before any credit is issued in your name.

Keep detailed records of everything you do, every call you make, every letter you send, and every response you receive. The resolution process can take time, and having a clear record is essential for every step of it. Citizens Advice can provide support and guidance throughout the process if you need help. You are not alone, and this is resolvable, even though the process requires persistence.