The Raptoric Journal/Offensive Security
Offensive SecurityJun 16, 2026 · 11 min read

Identity theft: how it happens and how to protect yourself

Identity theft lets an attacker pose as you or one of your employees. Here is how it happens, what the consequences are, and how to reduce the risk for yourself and your company.
A professional reviewing account and identity security settings on a laptop and phone.
Written by
R
Raptoric Offensive Security
Share
LinkedInX / TwitterCopy link

Identity theft is the misuse of someone's personal data so an attacker can pose as another person, open accounts, run transactions, or access systems. In a business context, a stolen employee identity is often the first step in a larger attack: with someone else's credentials, the attacker walks into your systems as a legitimate user. This post explains how identity theft happens, what the consequences are, and how to reduce the risk for yourself and for your company.

This is part of our overview of attack types. We establish identity and access protection through offensive security.

How identity theft happens

An attacker obtains the data in several ways, and often combines them.1

  • Phishing and social engineering, where the victim hands over data or passwords themselves.
  • Data leaked from breaches of other services, then sold on the criminal market.
  • Weak or reused passwords, which an attacker guesses or tries across multiple services.
  • Malware that logs keystrokes and steals credentials.
  • Theft of physical documents or unprotected devices.

The consequences

For an individual, identity theft can mean financial loss, fraudulent contracts, and a long cleanup. For a company, a stolen employee identity gives the attacker access to email, systems, and data as a legitimate user, which opens the door to business email compromise, data leaks, and the attack spreading further.

How to protect yourself

Protection combines technical measures with caution about your data.

  1. 01
    Turn on MFA
    Multi-factor authentication makes a stolen password almost worthless to an attacker.
  2. 02
    Use unique passwords
    A password manager and a unique password for each account stop one breach from cascading into many.
  3. 03
    Be careful with data
    Do not share personal data on demand from an unsolicited message or call.
  4. 04
    Watch your accounts
    Check accounts and sign-ins regularly and act on anything unusual.
  5. 05
    Protect your devices
    Encryption, screen locks, and updates reduce the risk if a device is lost or stolen.

What to do if you are a victim

If you suspect identity theft, change the compromised passwords and turn on MFA immediately, notify your bank and the affected services, preserve the evidence, and report the case. If personal data has been misused, you can also file a complaint with the relevant data protection authority. A fast response limits the damage.

How Raptoric helps

We help companies put identity and access management in order so a stolen password does not mean a breach, and we test how far a single stolen identity can reach through offensive security. Book a scoping call.

Frequently asked questions

How does identity theft usually happen?
Most often through phishing, data leaked from breaches of other services, and weak or reused passwords. An attacker frequently combines these methods to obtain credentials and personal data.
What is the best way to protect myself?
Multi-factor authentication, unique passwords backed by a password manager, and caution with personal data. MFA is the single strongest measure because it makes a stolen password almost worthless.
Why is identity theft a risk for a company, not just an individual?
A stolen employee identity gives an attacker access to systems as a legitimate user. It is a common first step toward business email compromise, data leaks, and the attack spreading inside the company.
What should I do if I am a victim of identity theft?
Change your passwords and turn on MFA immediately, notify your bank and the affected services, preserve the evidence, and report the case. If personal data has been misused, you can also file a complaint with the relevant data protection authority.

Sources

  1. 1ENISA. ENISA Threat Landscape. European Union Agency for Cybersecurity, 2024. Link
  2. 2CISA. Secure Our World — Identity protection. Cybersecurity and Infrastructure Security Agency, 2024. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →