Identity Theft & Online Scam Glossary: 40+ Terms Explained (2026)
If you've ever read a breach notification, a scam warning, or an identity-theft-protection sales page and felt buried in jargon, this glossary is for you. Below are the 40+ terms that come up most often in identity theft and online fraud — each one explained in plain English, with a real-world example and, where relevant, a link to a deeper guide on what to actually do about it.
Use the clusters below to jump to what you need, or read straight through for a complete grounding in how modern fraud works.
- Identity theft & fraud types
- Social engineering & scam tactics
- Technical threats & attacks
- Credentials & authentication
- Data, breaches & the dark web
- Protection & recovery concepts
Identity theft & fraud types
Identity theft
The umbrella term for any crime in which someone steals and uses your personal information — name, Social Security number, credit card, or medical ID — without permission, usually for financial gain. Everything else in this section is a specific flavor of it. If you think it's already happened to you, start with what to do if your Social Security number is stolen.
New-account fraud
When a criminal uses your stolen information to open a brand-new account in your name — a credit card, personal loan, phone contract, or utility. You often don't find out until a bill or collections notice arrives. This is one of the fastest-rising categories of identity fraud. If it happens to you, see someone opened a credit card in my name.
Account takeover (ATO)
The opposite of new-account fraud: instead of opening a new account, the attacker seizes control of one you already own — your bank, email, or shopping account — usually by stealing or resetting the password. Email takeover is especially dangerous because it can be used to reset every other account.
Synthetic identity theft
A hybrid, fabricated identity built by combining real data (frequently a child's or a deceased person's Social Security number) with made-up details. Because no single real person is watching the fictitious identity's credit, it can be cultivated for years before the fraud "busts out." It's now one of the most costly forms of identity crime.
Medical identity theft
When someone uses your identity to obtain medical care, prescriptions, or to file fraudulent insurance claims. Beyond the financial damage, it can corrupt your medical records with someone else's health data — a genuine safety risk.
Tax identity theft
When a criminal files a fraudulent tax return using your Social Security number to claim your refund before you do. The tell is usually an IRS rejection saying a return has already been filed. Prevention is largely about filing early and using an IRS IP PIN — see tax identity theft: how to protect yourself.
Child identity theft
The use of a minor's Social Security number to open accounts or commit fraud. It's attractive to criminals precisely because children have clean, unmonitored credit files, so the theft can go unnoticed until the child applies for their first loan or card years later.
Financial fraud
A broad term for any scheme that illegally deprives you of money — encompassing card fraud, wire fraud, investment scams, and more. Identity theft is often the first step; financial fraud is the payoff.
Social engineering & scam tactics
Social engineering
The art of manipulating people — rather than hacking machines — into handing over information or access. Nearly every scam below is a form of social engineering. Attackers exploit trust, fear, urgency, and authority to bypass your better judgment.
Phishing
A fraudulent message, classically an email, that impersonates a trusted brand or person to trick you into clicking a malicious link, opening a booby-trapped attachment, or entering credentials on a fake site. Phishing remains the single most-reported cybercrime tactic. Learn the tells in how to identify phishing links before you click.
Spear phishing
A targeted phishing attack aimed at a specific individual or organization, using personalized details (your name, employer, recent purchases) to appear far more convincing than mass phishing.
Whaling
Spear phishing aimed at "big fish" — executives, finance staff, or other high-value targets — often to authorize fraudulent wire transfers.
Smishing (SMS phishing)
Phishing delivered by text message. Think fake delivery notices, bank alerts, or "your account is locked" texts with a link. Because phones make links harder to inspect, smishing is highly effective — see is it safe to click links from SMS messages?
Vishing (voice phishing)
Phishing over a phone call, often using spoofed caller ID and urgency ("this is your bank's fraud department"). AI voice cloning has made vishing dramatically more convincing.
Pretexting
Inventing a believable backstory or "pretext" to extract information — for example, posing as IT support, a delivery driver, or a government official to justify their request for your details.
Baiting
Luring victims with the promise of something desirable — a free download, a gift card, a found USB drive — that delivers malware or harvests credentials instead.
Business email compromise (BEC)
A high-dollar scam in which attackers impersonate an executive, vendor, or partner over email to trick an employee into wiring money or sending sensitive data. It's one of the costliest categories of cybercrime by total losses.
Pharming
Redirecting traffic from a legitimate website to a fraudulent copy without the victim clicking anything — usually by poisoning DNS or altering a device's host settings. Even a correctly typed URL can land on the fake site.
Typosquatting
Registering domains that are common misspellings of popular sites (e.g. "gooogle.com") to catch mistyped traffic and serve scams or malware. Related to how you tell if a website is legit.
Spoofing
Faking the "from" data of a communication — an email address, a phone number (caller ID spoofing), or a website — so it appears to come from a trusted source. Learn to spot a faked sender in how to check if an email is fake.
Technical threats & attacks
Malware
Short for "malicious software" — any program designed to harm, exploit, or gain unauthorized access to a device. Viruses, worms, ransomware, spyware, and trojans are all malware. A single click on the wrong link can install it: see what happens if you click a malicious link.
Ransomware
Malware that encrypts your files and demands payment for the decryption key. For individuals it can mean losing photos and documents; for organizations it can halt operations entirely.
Spyware
Malware that secretly monitors your activity — keystrokes, screenshots, browsing — and exfiltrates it to an attacker.
Keylogger
A specific type of spyware that records every keystroke, capturing passwords and card numbers as you type them.
Trojan
Malware disguised as legitimate software. You install what looks like a useful app or file, and it opens a back door for the attacker.
Malicious link
Any URL crafted to harm you — by installing malware, phishing your credentials, or triggering a fraudulent download. When you're unsure about a link, don't guess: run it through a link safety checker or read how to check if a link is malicious.
Drive-by download
Malware that installs automatically just from visiting a compromised web page — no click required beyond loading the site.
Man-in-the-middle (MITM) attack
When an attacker secretly positions themselves between you and a service you're using — common on unsecured public Wi-Fi — to intercept or alter the data passing between you. This is a core reason SSL/HTTPS matters.
Card skimming
Capturing card data at the point of payment — via a physical overlay on an ATM or gas pump ("skimmer"), or its online equivalent, e-skimming, where malicious code steals card details entered on a checkout page.
Malicious QR code (quishing)
A QR code that points to a phishing site or triggers a harmful action when scanned. Because you can't read a QR code with your eyes, it hides the destination — see can QR codes be dangerous?
Credentials & authentication
Credentials
The information that proves who you are to a system — most commonly a username and password, but also security questions, tokens, and biometrics. Stolen credentials are the fuel for account takeover.
Credential stuffing
An automated attack that takes username/password pairs leaked in one breach and tries them en masse against other sites, exploiting password reuse. One reused password can compromise many accounts at once.
Brute-force attack
Systematically guessing a password by trying enormous numbers of combinations until one works. Short, simple passwords fall in seconds — which is why length and randomness matter. Test yours against is my password strong enough?
Password spraying
The inverse of brute force: instead of many passwords against one account, attackers try a few very common passwords (like "Password123") against many accounts, evading lockout limits.
Two-factor / multi-factor authentication (2FA / MFA)
A second (or third) proof of identity beyond your password — a texted code, an authenticator app, or a hardware key. It's one of the highest-impact protections you can enable. Note that app-based and hardware MFA resist SIM swapping better than SMS codes do.
SIM swap / SIM hijacking
An attack in which the criminal tricks your mobile carrier into moving your phone number to their SIM, letting them intercept your SMS 2FA codes and reset your accounts. A prime reason not to rely on SMS as your only second factor.
Password manager
Software that generates, stores, and autofills unique strong passwords for every account, so a breach of one site can't cascade to others. The practical antidote to credential stuffing and the password mistakes people still make.
Encryption
Scrambling data so only someone with the correct key can read it. The padlock/HTTPS in your browser means the connection is encrypted in transit — the foundation of SSL certificates.
Data, breaches & the dark web
Data breach
An incident in which protected information is accessed, stolen, or exposed without authorization. Breaches are the primary supply source of the personal data used in identity theft. If you're caught in one, follow what to do after a data breach.
Personally identifiable information (PII)
Any data that can identify a specific person — name, SSN, date of birth, address, email, biometric data. PII is exactly what criminals harvest to impersonate you.
Dark web
The portion of the internet that isn't indexed by search engines and requires special software to access. It hosts marketplaces where stolen credentials, card numbers, and full "identity kits" (fullz) are bought and sold. Wondering if your data is already out there? See has my personal information been leaked?
Dark web monitoring
A service that scans breach dumps and dark-web marketplaces for your personal information and alerts you when it appears — a core feature of most identity-protection products.
Data broker
A company that legally collects and sells consumer data compiled from public records, purchases, and online activity. Data brokers enlarge your exposure, which is why opting out of them is a common privacy step.
Fullz
Underground slang for a complete package of someone's stolen information — enough to fully impersonate them. The more complete the "fullz," the higher its price on the dark web.
Protection & recovery concepts
Credit freeze (security freeze)
Restricting access to your credit report so no one — including you — can open new credit until you lift it. It's free, reversible, and the single most effective block against new-account fraud. Here's how to freeze your credit at all 3 bureaus.
Fraud alert
A flag on your credit file that tells lenders to take extra steps to verify your identity before extending credit. Lighter-touch than a freeze, and free to place.
Credit monitoring
Ongoing surveillance of your credit reports that alerts you to new inquiries, accounts, or changes — helping you catch fraud early rather than after the damage is done.
Identity theft protection
A category of service that bundles monitoring (credit and dark web), alerts, and — crucially — recovery assistance and insurance. Whether it's worth paying for depends on your situation: see do I need identity theft protection?
Identity restoration
The hands-on help — often a dedicated case manager — that guides you through undoing the damage after identity theft: disputing accounts, filing reports, and restoring your records. The quality of restoration support is a major differentiator between protection services.
Identity theft insurance
Coverage that reimburses certain out-of-pocket costs of recovering from identity theft (lost wages, legal fees, notarization). It covers the cost of cleanup, not stolen funds directly.
Zero-liability protection
A card-network policy that shields you from paying for unauthorized charges when you report them promptly — a key reason credit cards are safer than debit cards for online purchases.
SSL/TLS certificate
The technology behind the padlock and "https://" in your address bar. It encrypts the connection between your browser and a site — but note it only proves the connection is secure, not that the site itself is honest. Details in is HTTPS enough to trust a website?
Put the terms to work
Understanding the vocabulary is step one. The next time a suspicious message, link, or website lands in front of you, you'll know exactly what you're looking at — and what to do next.
When you're not sure whether a specific link or site is safe, don't rely on instinct. Paste it into the free Link Safety Checker for an instant risk assessment, and if you suspect your information is already exposed, start with what to do after a data breach.
Sources & References
Frequently Asked Questions
What is the difference between phishing, smishing, and vishing?
They're the same social-engineering attack delivered over different channels. Phishing arrives by email, smishing by SMS text message, and vishing by voice call. All three try to trick you into revealing credentials, financial details, or personal information, or into clicking a malicious link.
What is synthetic identity theft?
Synthetic identity theft is when a criminal combines real information (often a stolen or child's Social Security number) with fabricated details like a fake name and date of birth to create an entirely new, fictitious identity. Because the identity isn't tied to a single real victim, it can go undetected for years and is one of the fastest-growing forms of fraud.
What is credential stuffing?
Credential stuffing is an automated attack where criminals take username and password pairs leaked in one data breach and 'stuff' them into login forms on other sites, betting that people reuse passwords. It's the main reason reusing passwords is dangerous — one breach can unlock dozens of your accounts.
What is a SIM swap attack?
A SIM swap (or SIM hijacking) is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive your SMS two-factor authentication codes and can take over bank, email, and crypto accounts. It's why app-based or hardware 2FA is safer than SMS codes.
What does BOFU, new-account fraud, and account takeover mean?
New-account fraud is when a criminal opens a brand-new account (credit card, loan, utility) in your name. Account takeover (ATO) is when they seize control of an account you already own. Both are common outcomes of identity theft, and both are covered in detail in this glossary.