More than one in four identity crime victims now face multiple concurrent incidents, according to new research from the Identity Theft Resource Center. The nonprofit's 2026 Trends in Identity Report analyzed over 6,000 cases submitted between April 2025 and March 2026, finding that 26% of victims dealt with two or more identity crimes simultaneously. This represents an increase from 24% the previous year and reflects what experts describe as increasingly complex attack patterns where a single compromise triggers cascading fraud across multiple accounts and institutions.

Unauthorized device and PC access emerged as the fastest-growing threat vector, jumping 78% year over year to account for 27% of all identity compromise incidents. This category now represents the primary threat for adults aged 35 to 64. Once attackers gain control of a phone or laptop, they can intercept recovery codes, approve login prompts, access work email, and exploit trusted sessions to bypass security controls that appear robust on paper.

Account takeovers represented half of all identity misuse cases during the reporting period, while new account fraud accounted for 38%. Smaller categories included fraudulent employment at 5%, criminal acts using stolen personal information at 4%, and IRS-related misuse at 3%. Notably, fraudulent employment represented 40% of misuse cases involving children's identities, indicating widespread use of minors' information to secure jobs illegally. Financial institutions caught and blocked 27% more attempted misuse compared to the previous period.

Recovery outcomes varied dramatically based on financial impact. Approximately 53% of victims who experienced no financial loss reached resolution, but this figure plummeted to just 9% for those who lost money. Security experts attribute these poor recovery rates partly to siloed organizational structures where customer support, IT, legal, finance, and security operations teams work in separate systems without coordinated workflows.

Security professionals recommend organizations test whether their identity protection controls hold up under real attack conditions, particularly scenarios involving stolen sessions or compromised devices. Experts suggest that AI-driven automation can help connect fragmented response workflows, surface relevant evidence quickly, and accelerate response steps before delays compound victim difficulties. Organizations should evaluate whether their current defenses can detect and contain threats that spread across multiple systems following an initial device compromise.

Source: https://www.infosecurity-magazine.com/news/quarter-identity-crime-victims/