cyber crime

hackers electionDespite years of battling by the financial industry and a massive change in the way Americans use debit and credit cards, the rate of identity theft soared during 2016, a new report has found. In fact, it hit an all-time high.

An estimated 15.4 million consumers were hit with some kind of ID theft last year, according to Javelin Strategy & Research, up from 13.1 million the year before.

The report begins ominously: “2016 will be remembered as a banner year for fraudsters, as numerous measures of identity fraud reached new heights.” Fraud losses totaled $16 billion, the report found.

About 1 in every 16 U.S. adults were victims of ID theft last year (6.15%) — and the incidence rate jumped some 16% year over year. This despite 2016 being the first full year that brick-and-mortar retailers were forced to accept more secure EMV chip cards or face liability consequences.

The shift to EMV was supposed to virtually eliminate one type of ID Theft, card cloning, which allows criminals to steal account data and write it onto counterfeit cards used to make fraudulent in-store purchases. Visa said that part of the EMV has worked: Counterfeit fraud is down 52% at EMV-enabled stores.

Predictably, criminals shifted away from card cloning and toward card-not present fraud — largely online purchases, where chips are not necessary. The Javelin report said card-not-present fraud rose a whopping 40% last year. But the real surprise in the Javelin report is that many other forms of fraud also spiked.

Fraud ‘Anywhere We Looked’

Account takeovers — where a criminal hijacks credentials for an existing account — climbed 31%, Javelin said. New account fraud is up, too, according to Javelin, with incidence rates up 20%.

Even theft involving cell phone account takeovers — which help criminals gain access to financial accounts when consumers utilize two-factor authentication involving a text message or token app — has doubled in the past year.

“Anywhere we looked, we saw that there was just more fraud,” said Al Pascual, head of fraud and security at Javelin.

The Javelin data comes from a statistically significant sample of about 5,000 U.S. consumers. The survey is now in its 14th year; it was initially conducted by the Federal Trade Commission in 2003. This year’s study was paid for by LifeLock, though conducted independently, Javelin said.

The findings square with results published in January by ACI Worldwide, which also indicated that criminal fraud activity was up sharply. Retail fraud attempts rose 31% during the holiday shopping season compared to last year, said ACI, which monitors transactions for fraud.

Analysts also agree fraud attempts are up.

“I’m hearing the same trends from large banks – the percentage of fraud attempts against them is dramatically increasing,” said Avivah Litan, an analyst at Gartner, in response to the ACI report.

The Good News

The story isn’t all bad, according to Javelin. While incidence of crime is up, the dollar amount per victim is steadily dropping, as is the time it takes for many victims to detect ID theft. That’s in part because consumers are utilizing online tools — checking their accounts more frequently — to look for fraud, Pascual said. (You can view your free credit report summary, updated every 14 days, on Signs of identity theft include a sudden drop in credit scores, mysterious credit inquiries and new accounts you didn’t open.)

“I don’t want to make this sound like an all-bad news story,” he said. While total losses — $16 billion — were up slightly over last year, they were still well below the $22 billion record set in 2012.

Still, the dramatic increase in the number of victims raises obvious questions: Why is fraud up, even after these major investments in fraud-fighting technology?

Pascual said the shift to EMV has probably motivated criminals to act fast. For starters, since not all merchants are EMV-ready yet — gas stations still have several years to be compliant, for example — criminals are racing to squeeze the last few dollars out of that fraud scheme.

“(EMV) forces criminals to do things like use up all the counterfeit fraud accounts they have access to,” Pascual said. “It also motivates criminals to look for other kinds of fraud.”

With the easy money of cloned card fraud drying up, thieves are experimenting more and more with account takeovers and new account fraud, he said.

Are EMV Chips at Fault?

“I think it’s a combination of (things),” Litan said, responding to the question of whether EMV chips are to blame. First on her list is the proliferation of “fraud kits” that budding young criminals can purchase and immediately use with little or no experience. There are also far more criminals, she said. Criminals working “double time” to deal with security enhancements like EMV are another factor.

It’s troubling, however, that criminals have been nudged toward the kinds of fraud that makes life more miserable for consumers. Simple credit card fraud is pretty easy to recover from and usually only a call to the bank is required. But account takeover or new account fraud are far more complex.

“It’s a continued arms race,” said Stephen Coggeshall, the chief analytics and science officer at Javelin. “We get better with our tools, they continue to migrate … we are not necessarily losing the battle.”

Still, Pascual believes the shift to EMV was worth it.

“Over the long term, if you look at other markets that did this, as long as we are closing windows and doors, improving authentication on existing accounts, it’s a good thing,” he said.

This article originally appeared on and was written by Bob Sullivan.