National Library of New Zealand
Harvested by the National Library of New Zealand on: Oct 16 2017 at 9:56:32 GMT
Search boxes and external links may not function. Having trouble viewing this page? Click here
Close Minimize Help
Wayback Machine
The Department of Internal Affairs

The Department of Internal Affairs

Te Tari Taiwhenua

Building a safe, prosperous and respected nation


How does identity theft happen?

Identity theft is stealing details about a person to pretend to be that person. This could be committed to gain financial benefits the person is entitled to, to avoid arrest or court orders by appearing to be a different person or even to maliciously impersonate the person, perhaps to make it appear that they believe or think something controversial.

The methods criminals use to steal personal information change frequently, particularly those that exploit technology. There are some methods that have been used in many cases and they can be divided into three categories.


Information given away

This method is the simplest, when people give their personal information away. Frequently this occurs on social networking sites, so it is important to ensure that you have privacy controls in place and don’t accept friend requests from people you don’t know.


Offline methods

Dumpster diving

Going through people’s rubbish to find items showing personal information, such as credit card and bank statements, bills and envelopes showing a full name (and sometimes a logo of a company where an account is held).

Shoulder surfing

Looking over a person’s shoulder as they enter their PIN at an ATM, eftpos terminal or when using Internet banking in a public place.

Wallet or document theft

Stealing or acquiring a document and using the information it includes. If this is a wallet, this is likely to be a large amount of information about a person, even if the cards are cancelled.

Bogus phone calls

Calling a person and convincing them to provide information or to take some action. Callers may pretend to be from a legitimate company or government agency.


Capturing the information encoded into the magnetic strips on the back of credit and eftpos cards. This data can then be put onto a blank card and used to access the account.


Contacting a business and impersonating a legitimate customer to request their account information.

Business record theft

Stealing data from a business (which could be computerised or paper records). This is often done in larger numbers than pretexting, but both can involve staff members.


Online methods


Any software used to cause harm to a computer system or to subvert it for another use. Malware includes viruses, worms, trojan horses, backdoors, keystroke loggers, screen scrapers, rootkits and spyware.


Unsolicited electronic messages, which can be used to deliver malware or by criminals who are phishing. The Department of Internal Affairs’ Anti-Spam Unit provides help and information about spam, as well as enforcing the Unsolicited Electronic Messages Act 2007.


Luring people into providing information using emails and mirror-websites that look like they come from a legitimate business.


This is the same as phishing, but is directed at cellphones. As smartphones become more advanced, so does smishing.

Spear phishing

Luring people via websites and email that appear legitimate, when the criminal already knows something about the person’s habits (this could be by hacking into a business’s system or from information freely provided on the Internet).


Exploiting vulnerabilities in an electronic system or in computer software to steal personal data.

The Ministry of Consumer Affairs runs Scamwatch, which provides more information about scams (some of which are created to gain identity information).