Dave Marcus's e-mail inboxes, which trap a sample of the malicious software files circulating on the Internet, are jammed more than ever before.
So-called malware programs that steal personal data climbed to more than 1.2 million this year from 135,000 in 2007, said Marcus, director of security research and communications for Santa Clara, Calif.-based McAfee Inc., the second-biggest maker of security software. At least 90 percent of those programs are designed to grab information such as Social Security and credit card numbers, he said.
Identity theft victimized 8.1 million Americans last year and 8.4 million in 2006, according to data compiled by Javelin Strategy & Research, a financial services research firm in Pleasanton, Calif. Unauthorized transactions cost consumers as much as $45 billion in 2007, Javelin reported.
"It has a significant impact on our economy," said Betsy Broder, head of the identity-theft program at the U.S. Federal Trade Commission in Washington. "Unlike other crimes, consumers frequently say they don't know when the injury will end. They know their information is out there and can still be misused."
While credit card companies generally reimburse customers for unauthorized charges, victims still face an "incredible hassle" cleaning up the mess, said Jeff Fox, technology editor at Consumer Reports magazine.
"You've got to contact the police, you've got to replace the cards," he said. "If it's a credit card, most of us have recurring charges like maybe your Internet account or your phone bill. The more stuff you have sitting on your credit card bill, the more potential cleanup there is."
Spying with malware is one way to obtain consumers' personal information, along with looking through trash, filling out postal change of address forms in a victim's name, and hacking into online records, according to the FTC, which maintains a clearinghouse of identity-theft complaints and helps law enforcement agencies respond to cases.
"Cyber crime has been growing by leaps and bounds because it's low risk and it's high reward," McAfee's Marcus said. "Everybody needs to be suspect of anything that's in their inbox that they didn't ask for."
Consumers expose themselves to malware by downloading attachments or clicking links in e-mails. "Drive-by downloads" occur when a compromised Web site sends malware to an unknowing visitor's computer, said Jonathan Woytek, a member of the technical staff at Pittsburgh-based Carnegie Mellon University's CERT Coordination Center, which studies Internet security. CERT offers a tutorial on securing Web browsers against malware on its Web site, cert.org/tech_tips/securing_browser/.
The President's Task Force on Identity Theft, a group of 17 federal agencies formed in 2006, said in September that it's taking steps to curb fraud, including assisting foreign law enforcement organizations in identity-theft cases and working with the American Bar Association on a free legal assistance program for victims.
Laptop computers, like cash, shouldn't be left alone even for a minute, according to the FTC. Someone whose laptop is stolen loses the data stored on the machine.
An option is placing a credit freeze with national credit bureaus -- Equifax, Inc., Experian Group and TransUnion LLC -- to block access to personal reports. There's a fee to remove the freeze before applying for legitimate new credit.
Consumers Union, the Yonkers, N.Y.-based nonprofit publisher of Consumer Reports, offers a tutorial on getting a credit freeze at Financialprivacynow.org.
To reduce the risk of fraud, consumers should shred documents containing personal information before discarding and avoid giving private details to someone who asks for it in unsolicited calls or e-mails, according to the FTC.
Allyn Pon, 50, said he lost $110,000 selling shares after someone hacked into his online brokerage account and bought 1.2 million shares of a Chinese company.
The marketing consultant logged onto his brokerage at 7 a.m. on May 1, 2007, from his San Diego home for a routine round of stock trading before work and found out that he owned 1.2 million shares of Hong Kong-based China Premium Lifestyle Enterprise Inc. He said still doesn't know how someone got his password to log on to the brokerage.
"Shock, disbelief," was Pon's reaction, he said. "Based on the IP address that the brokerage account firm mentioned, they said it came from China. I had to eat the loss."
In July, an arbitration panel rejected Pon's claim for $390,000 in damages from his brokerage, according to a Financial Industry Regulatory Authority dispute document.
Web sites such as Lifelock, which gives its chief executive officer's Social Security number in national advertisements, and TrustedID, say they can guard against identity theft for a fee.
Travelers Cos., the second-biggest U.S. business insurer, offers a $25-a-month identity-theft policy to homeowners, according to the company's Web site. The coverage reimburses up to $25,000, with no deductible, for expenses related to repairing damaged credit. Farmers Group Inc. and Nationwide Mutual Insurance Co. also provide identity-theft coverage.
It's important to look closely before paying a fee for identity-theft services or signing up for insurance, said Sally Hurme, senior project manager for financial security for the AARP in Washington.
"Some of the advertising has not been very straightforward as to what you're getting," Hurme said.