We’ve heard about the identity theft epidemic for so long that many have become numb to the news, and the large numbers — 50 million stolen credit cards here, 150 million stolen Social Security numbers there. But this is no time for complacency.

There were two bits of very bad news for consumers in the recent annual survey of identity-based fraud. First, there were 16.7 million victims in 2017, easily the most all-time, fueled in part by a series of high-profile data breaches. But even worse, criminals are migrating to more sophisticated, multistep frauds, with the rates of new account fraud and noncredit credit card fraud soaring. Why should you care? Those are the crimes with the most potential to hurt your credit score.

Identity theft can happen anywhere

First, the top headlines from the report, which has been issued annually Javelin Strategy & Research for more than a decade. Fraud “blew past” the previous year’s record, according to the report.

If you are in an office or coffee shop with 15 people right now, odds are pretty high that one of them was a victim of ID theft in 2017 — 6.64% of surveyed consumers reported being a victim of any kind of ID theft, or 1 out of 15, last year. That’s up from about 1 in 20 last year. Worse still, criminals armed with full dossiers on consumers — SSNs, home addresses, even knowledge-based authentication question answers — are hopscotching from one kind of account to another. Criminals are moving beyond traditional bank account hacking to opening up fake mobile phone accounts, internet payment accounts and online merchant accounts using stolen credentials.

“Everything is up,” Al Pascual, senior vice president, research director and head of fraud & security, Javelin Strategy & Research. He helped write the report. “A lot of it is interconnected.”

While fraudulent charges on an existing credit card can usually be cleared up with a quick phone call, these others kinds of fraud can cause a lot more trouble for consumers. If a criminal opens new cellphone service or TV service in your name, your credit can be ruined. That happened to Mark last year, who asked that his last name be withheld because he’d already been a victim of ID fraud. A criminal opened a pay TV account in his name, then didn’t pay the bill for several months. Mark says his score dropped by more than 100 points until he got the delinquent account removed from his report.

Making matters worse, Javelin notes, some of these kinds of fraudulent accounts — such as payday loans — don’t appear on your credit report when they are opened, but only later, when they are sent to collections.

5 simple steps to reach $1 million

The most significant shift in tactics that occurred last year, Javelin said, was the growth of “intermediary new-account fraud.” It involves fraudsters who monetize compromised existing accounts by opening one or more fraudulent accounts – such as P2P payment accounts – to facilitate money movement out of the victim’s account. In 2017 the prevalence of intermediary new-account fraud rose abruptly, reaching as estimated 1.5 million victims, more than 2½ times the previous peak of 500,000 victims in 2015. Also, more than a million victims of existing account fraud had an intermediary account opened in their name last year — 200% greater than the previous high.

Other newly prevalent types of account takeovers were also up sharply, Javelin found: loyalty/reward accounts theft (such as hotel points), cryptowallet hijacking, and brokerage account heists led the list.

This bad news isn’t a total surprise, as it follows a year when data leaks were up sharply, headlined by the Equifax breach, which impacted nearly 150 million Americans. Nearly a third (30%) of U.S. consumers said they were notified of a breach in the past year, up from 12% in 2016. Also, for the first time, stolen SSNs outnumbered stolen credit card account numbers, Javelin said.

Thieves are adapting

Why are criminals so hard at work developing new fraud methods? There’s plenty of reasons, but here’s two: chip-enabled credit cards and the spread of two-factor authentication. Chip cards have made old-fashioned retail store credit card fraud much harder. Squeeze one side of a water balloon, the other side gets bigger. Now that in-store fraud is harder, online fraud is more common. Indeed so-called “card-not-present” fraud, such as thefts from e-commerce websites, is now 81% more likely than point of sale fraud, the greatest gap Javelin has observed.

Meanwhile, many two-factor authentication schemes use cellphone SMS text messages for logins or password resets, so criminals looking to escalate their way into more privileged accounts are hard at work breaking into cellphone accounts. That lets them intercept security texts and defeat the two-factor implementation.

“Fraudsters embarked on a trend of gaining control of not only the financial account involved but also a separate account such as a mobile phone or email account where password-change instructions or one-time passwords might be sent,” the Javelin report found.

Further complicating matters is the growth of so-called synthetic ID theft, in which criminals match up pieces of various identities to create an entirely new “person” they can use to apply for credit and steal.

“Stolen information can be used with other (personal information) in any number of permutations,” the report warns. “Criminals have proven adept at using the anonymity of digital channels to create synthetic identities: virtual identity Frankensteins that mix and match different elements of identity information.”

Depending on how it’s done, such new accounts might not end up on your credit report. But when there’s an unpaid bill, collections agents following up on any potential lead may come looking for you. And they may wreck your credit, too.

What you can do

How can you protect yourself? Most of all, be vigilant. Check your credit report and score frequently. Often, a sudden drop in score is the canary in the coal mine that tips off victims to the crime. Consumers should also consider:

1. Turning on two-factor authentication wherever possible

2. Placing security freezes on your credit files. NOTE: Freezes are free at Equifax until June 30.

3. Signing up for account alerts everywhere. Text messages and emails about account activity are the best way to detect suspicious activity as early as possible.