Federal Identity Theft & Document Fraud
Federal identity theft law criminalizes the fraudulent creation, transfer, and use of identification documents and personal identifying information. The two primary statutes — 18 U.S.C. § 1028 (identification document fraud) and 18 U.S.C. § 1028A (aggravated identity theft) — work together to punish both the document forgers and the people who use stolen identities to commit other crimes. Aggravated identity theft carries a mandatory consecutive 2-year sentence on top of whatever punishment the underlying felony carries — meaning that using someone else's Social Security number in a wire fraud scheme automatically adds 2 years to your prison time with no possibility of parole or reduction.
Current Law (2026)
| Parameter | Value |
|---|---|
| Document fraud | 18 U.S.C. § 1028 — up to 15-25 years depending on offense |
| Aggravated identity theft | 18 U.S.C. § 1028A — mandatory 2 years consecutive (5 years for terrorism) |
| Covered documents | Passports, driver's licenses, Social Security cards, birth certificates, and any government-issued ID |
| "Means of identification" | Name, SSN, date of birth, driver's license number, passport number, biometric data, electronic ID |
| Predicate offenses (§ 1028A) | Theft, fraud, immigration, banking, wire fraud, and dozens of other enumerated felonies |
| Mandatory consecutive | § 1028A sentence runs consecutive to underlying felony — no concurrent time |
| No probation | § 1028A sentence may not be served concurrently, reduced, or substituted with probation |
| Federal nexus | Interstate or foreign commerce, or involves federally created documents |
Legal Authority
- 18 U.S.C. § 1028 — Identification document fraud (criminalizes producing, transferring, or possessing false identification documents; producing, transferring, or possessing document-making implements; possessing 5+ identification documents not lawfully issued to the possessor; trafficking in false identification documents; up to 15-25 years depending on circumstances)
- 18 U.S.C. § 1028A — Aggravated identity theft (whoever, during and in relation to any enumerated felony, knowingly transfers, possesses, or uses the means of identification of another person without lawful authority, shall be sentenced to an additional mandatory 2-year consecutive term; 5 years if related to terrorism)
- 18 U.S.C. § 1029 — Access device fraud (criminalizes knowingly using, producing, or trafficking in counterfeit or unauthorized access devices — credit card numbers, debit card numbers, account numbers, PINs, and electronic serial numbers; penalties up to 15 years depending on the value of fraud and number of devices involved)
How It Works
Section 1028 covers the supply side of identity fraud — creating, transferring, and possessing false identification documents and document-making equipment. Producing a fake driver's license, trafficking in counterfeit Social Security cards, possessing a batch of stolen identities, or operating a document mill are all § 1028 offenses. Penalties escalate based on the number of documents, whether the fraud facilitates drug trafficking or violence, and whether the documents are used for international terrorism.
Section 1028A (aggravated identity theft) covers the use side — when someone uses another real person's identity in the course of committing a felony. The key elements are: (1) during and in relation to an enumerated felony (fraud, immigration offenses, banking crimes, tax crimes, and dozens more), (2) the defendant knowingly transferred, possessed, or used (3) the means of identification of another person (4) without lawful authority.
The mandatory consecutive sentence is what makes § 1028A uniquely powerful. The 2-year term must run after (not during) whatever sentence the defendant receives for the underlying felony. It cannot be reduced. It cannot be served on probation. It cannot run concurrently with any other sentence. This makes aggravated identity theft one of the most severe mandatory penalties in federal law — a defendant convicted of wire fraud and aggravated identity theft gets the wire fraud sentence plus an additional 2 years, no matter what.
The Supreme Court in Dubin v. United States (2023) narrowed § 1028A, holding that the statute requires the defendant to have used the other person's identity as a means of committing the underlying crime — not merely incidentally. Using a patient's Medicaid number to bill for an inflated service (where the identity use is incidental to the billing fraud) doesn't qualify; using a stolen identity to open a fraudulent bank account does.
"Means of identification" is defined broadly: name, Social Security number, date of birth, driver's license number, passport number, taxpayer identification number, biometric data, electronic identification number, and any other number that can be used to identify a specific individual.
How It Affects You
<!-- pria:personalize type="impact" -->If you're an identity theft victim: Federal law gives you specific recovery tools, and the criminal prosecution process can run parallel to your civil recovery efforts. Start at IdentityTheft.gov (the FTC's one-stop portal) to generate a personalized recovery plan, file an FTC Identity Theft Report, and access form letters for disputing fraudulent accounts. If your SSN was used to file a fraudulent tax return, request an IRS Identity Protection PIN (IP PIN) — a 6-digit annual code required to file your return, preventing future fraudulent filings. For credit recovery: under FCRA § 605B (see Credit Reporting Rules), you can request that consumer reporting agencies block fraudulent information within 4 business days of receiving your police report and Identity Theft Report — bureaus must remove the fraudulent accounts from your credit file entirely, not just dispute them. For criminal investigation: federal identity theft cases are prosecuted by U.S. Attorneys; report to the FBI's Internet Crime Complaint Center (ic3.gov) if the theft involved online fraud or was part of a broader scheme. The aggravated identity theft statute (18 U.S.C. § 1028A) carries a mandatory 2-year consecutive sentence — this creates real leverage in identifying and pursuing the perpetrator through law enforcement channels.
If you're concerned about protecting your Social Security number: Your SSN is the single most valuable piece of information an identity thief can possess — it unlocks credit applications, tax fraud, benefits fraud, and employment fraud. Practical defenses: (1) freeze your credit at all three major bureaus (Equifax, Experian, TransUnion) plus ChexSystems and NCTUE — a freeze is free under federal law and blocks new account openings without your active unfreeze; (2) set up mySocialSecurity account at ssa.gov to monitor your earnings record and catch employment identity theft (where someone uses your SSN for employment, potentially affecting your benefits); (3) enable the IRS IP PIN proactively — you don't have to be a victim to request one, and it protects against tax fraud; (4) review your free weekly credit reports at AnnualCreditReport.com for unfamiliar accounts. For medical identity theft (someone using your insurance information for care): review your EOBs (Explanations of Benefits) from your insurer and your Medicare/Medicaid claims if applicable — medical identity theft is undercounted but can have serious consequences for your health records and coverage.
If you're a federal defendant facing identity theft charges: The sentencing math for identity theft is severe. Aggravated identity theft (18 U.S.C. § 1028A) carries a mandatory minimum 2-year sentence that runs consecutively — after whatever sentence you receive for the underlying fraud felony, not concurrently. The Supreme Court's Dubin v. United States (2023) significantly narrowed § 1028A's application: the statute requires that the defendant's use of the victim's identifying information be "at the crux of what makes the conduct criminal" — not merely incidental to the fraud scheme. This ruling invalidated many overbroad § 1028A charges where the identity use was peripheral. For defendants: Dubin is now a significant defense argument against § 1028A charges in cases where identity use was not central to the fraud (e.g., using a name on a billing form vs. using an identity to create fraudulent accounts). The base offense conduct — using, transferring, or possessing means of identification without lawful authority (§ 1028(a)) — carries up to 15 years; aggravated identity theft stacks a mandatory 2 years on top for predicate felonies.
If you're an employer, HR professional, or financial institution dealing with identity fraud: Employers face liability exposure when hiring processes inadequately detect false identity documents. I-9 employment verification requires examining original documents, but employers are not document fraud experts — good-faith examination of documents that appear genuine provides a legal defense to constructive knowledge of fraud. For financial institutions: customers victimized by identity theft have rights under the Fair Credit Billing Act (FCBA, for credit cards, zero liability for fraudulent charges after timely notice), Electronic Fund Transfer Act (EFTA, limited liability for debit account fraud), and FCRA (dispute rights for fraudulent credit inquiries and accounts). Your Safeguards Rule obligations (under GLB, FTC-enforced) require implementing a written information security program — inadequate security enabling mass identity theft has been the basis for FTC enforcement actions resulting in multimillion-dollar settlements. Promptly notify customers of data breaches under your applicable state breach notification law and the federal breach notification requirements for healthcare data (HIPAA) and banking data (Gramm-Leach-Bliley).
<!-- /pria:personalize -->State Variations
<!-- pria:personalize type="state-specific" -->Federal identity theft laws coexist with comprehensive state identity theft statutes:
- All 50 states criminalize identity theft under state law
- State penalties, definitions, and victim assistance provisions vary widely
- Many states have identity theft passport programs and security freeze rights
- State breach notification laws (all 50 states) require businesses to notify consumers of data breaches exposing personal information
- Federal and state prosecution can proceed concurrently for the same conduct
Implementing Regulations
-
28 CFR Part 22 — Confidentiality of identifiable research and statistical information (protections for identity theft victim data in federal programs)
-
16 CFR Part 603 — FTC identity theft rules (§§ covering identity theft report requirements, streamlined process for theft reports)
-
16 CFR Part 681 — Identity Theft Rules (the FTC Red Flags Rule). Key provisions:
- § 681.1 — Red Flags Rule: financial institutions and creditors subject to FTC enforcement of the Fair Credit Reporting Act must develop and implement a written Identity Theft Prevention Program that: (a) identifies "red flags" — patterns, practices, or activities indicating possible identity theft — relevant to their covered accounts; (b) detects red flags when they occur; (c) responds appropriately to detected red flags to prevent and mitigate identity theft; and (d) updates the program periodically to address new identity theft risks; "covered accounts" includes consumer accounts designed to permit multiple payments or transactions (checking, savings, credit card) and any other account presenting a reasonably foreseeable identity theft risk; the program must be approved by the board of directors or senior management and have appropriate staff training
- § 681.2 — Card issuer address-change duties: a card issuer who receives a request for an additional or replacement card for an existing account within 30 days after receiving a notification of a change of address for the account must follow verification procedures before issuing the new card — to prevent the classic identity theft scheme of changing the victim's address and then ordering a replacement card to the new address; acceptable verification methods include notifying the cardholder at the old address, calling the cardholder, or using other reasonable procedures
Appendix A to § 681.1 provides guidance on red flags to consider, organized by five categories of risk: (1) alerts, notifications, or warnings from consumer reporting agencies (e.g., fraud alerts, credit freezes, address discrepancy notices); (2) suspicious documents (altered or forged IDs, documents that don't match each other); (3) suspicious personal identifying information (inconsistent SSN, address that doesn't match records, nonworking phone number); (4) unusual use of or suspicious activity on a covered account (significant change in payment patterns, uncharacteristic large transfers, deactivated accounts being reopened); and (5) notices from customers, victims, or law enforcement about possible identity theft. The written program is enforceable through FTC civil penalty authority — non-compliant institutions can face penalties up to $53,088 per violation (2025 amount; 2026 levels held by OMB M-26-11) and are also potentially liable for consumer harm enabled by inadequate identity theft prevention.
Pending Legislation
- HR 5345 (Rep. Kustoff, R-TN) — Improving Social Security's Service to Victims of Identity Theft Act: create an SSA single point of contact to guide identity-theft victims through case resolution. Status: Passed House.
- S 1666 (Sen. Grassley, R-IA) — Senate companion: SSA point of contact and trained team for identity-theft victims. Status: Introduced.
- HR 7270 — Stop Identity Fraud and Identity Theft Act: Treasury grants to help states build secure digital IDs and prevent identity-driven fraud. Status: Introduced.
- HR 7892 — No Aid for Ghost Students Act: block federal aid for student applications flagged for identity fraud. Status: In committee.
- HR 5594 (Rep. McDonald Rivet, D-MI) — Protect Your PIN Act: add identity theft to VAWA cybercrime grant program. Status: Introduced.
Recent Developments
The Dubin decision (2023) significantly narrowed aggravated identity theft, requiring that the identity use be central to the underlying crime rather than merely incidental. This resolved a circuit split that had produced inconsistent applications across the country. Identity theft continues to be one of the most common federal criminal charges, frequently accompanying wire fraud, tax fraud, immigration fraud, and healthcare fraud cases. The growth of synthetic identity fraud (combining real and fabricated information) and data breach-driven identity theft — often prosecuted under the Computer Fraud and Abuse Act — has challenged traditional enforcement approaches. Prosecutors have increasingly targeted sophisticated identity theft rings involving international actors, while also addressing pandemic-era unemployment fraud and PPP loan fraud involving stolen identities.
- DOGE database access — systemic identity data vulnerability concerns (2025): DOGE personnel were granted access to SSA, IRS, Treasury payment systems, and other databases holding Social Security numbers, tax records, and financial information on hundreds of millions of Americans. Courts issued temporary restraining orders in February 2025 (in AFGE v. OPM and related cases) limiting DOGE access to certain databases pending litigation over appropriate access controls. The concern: improperly supervised or secured DOGE access credentials, if compromised by foreign adversaries or insider threats, could enable identity theft at a scale unprecedented in U.S. history. Federal employees and benefit recipients cannot yet assess individual exposure. The standard consumer response applies: credit freeze at all three bureaus (free under FCRA), monitoring for unauthorized account openings and IRS tax refund fraud.
- AI-generated deepfake identity fraud — emerging federal enforcement (2025): Generative AI has enabled voice cloning and synthetic video identity fraud at scale. AI voice clones are being used in grandparent scams (impersonating grandchildren in fake emergencies), CEO fraud (impersonating executives to authorize wire transfers), and account takeover schemes that bypass voice-based authentication. The FTC received over 1 million reports of impersonation fraud in 2024. Federal prosecution uses existing wire fraud (18 U.S.C. § 1343) and identity theft (18 U.S.C. § 1028) statutes; no AI-specific federal identity theft statute exists. The FTC's AI Voice Cloning Challenge sought technical solutions; Tennessee enacted the ELVIS Act (2024) for voice likeness protection, a model that other states are following. Consumers should use a family code word to verify emergency calls.
- Trump DOJ — immigration identity fraud enforcement (2025): The Trump DOJ has intensified prosecution of individuals who used false Social Security numbers or fraudulent documents for work authorization or benefit access. Enhanced cross-matching between E-Verify, SSA wage records, and immigration databases has flagged workers whose SSNs belong to other individuals. The DOJ treats aggravated identity theft charges under 18 U.S.C. § 1028A (mandatory 2-year consecutive sentence) as an enhancement tool in immigration enforcement cases, increasing criminal consequences for unauthorized workers beyond the civil immigration violation. This enforcement posture has created fear among immigrant communities about routine government interactions.