1. “Not even the biggest institutions can stop me.”

Banks let them open accounts in your name. The Internal Revenue Service gives them your tax refund. They dip into databases linked to credit bureaus, snagging your bank account, routing and Social Security numbers, which are sold off like packs of gum in an ever-growing black market that generates billions of dollars. The modern con artist’s prying eyes look beyond the wallet in your back pocket to hijack your financial identity.

In 2013, there was a new victim of identity fraud every two seconds, according to Javelin Strategy and Research. Fraud complaints increased more than sixfold from 2001 to 2013, according to a Federal Trade Commission report released in February. As consumers bank, shop and connect in social networks online, data breaches have become an unwelcome reality.

Scarier still: The institutions that are supposed to keep your information secure are the same ones fraudsters can sneak past. More than 867 million records have been stolen from businesses, government agencies, nonprofits, medical providers and educational institutions since 2005 — and 30% of those were leaked in the last year and a half, according to the Privacy Rights Clearinghouse. Victims this year alone include government agencies like the California Department of Motor Vehicles and the city of Detroit, large corporations including food company J.M. Smucker, as well as small businesses like an Ohio gas station and a Malibu wine shop.

Evan Hughes

Once a crook has one piece of your personal data, it’s much easier to get a lot more of it. Nearly all of the top credit card issuers and 80% of the top 25 banks allow someone to access your account if they have the correct Social Security number, according to Javelin. Every year, the U.S. hands billions of dollars to fraudsters requesting tax refunds that belong to someone else. That total reached about $3.6 billion in 2011, according to the Treasury Inspector General for Tax Administration. Attorneys general in Connecticut and Illinois are probing Experian, one of the three major credit bureaus, after a Vietnamese man pled guilty to selling the information of hundreds of thousands of Americans, which he accessed through one of its subsidiaries. Experian has said that it did not control the compromised database and that its credit data wasn’t affected.

To be sure, when it comes to security, “financial institutions represent, perhaps, the most protected business segment in the private sector,” according to a report released last month by the SANS Institute, an Internet security company. The survey of nearly 300 technology security professionals, from across banking, insurance, health care and government agencies, also found that 49% of respondents plan to invest more heavily in information technology security over the next two years.

Banks run continual tests on their security systems to find and patch weaknesses, though fake credentials can sometimes slip through, says David Pommerehn, senior counsel at the Consumer Bankers Association, a trade group comprising more than 50 retail banks including Chase, Bank of America and Citigroup.

“Criminals have moved from the street corner, committing crimes like prostitution and selling drugs, to committing white-collar crimes, committing fraud,” says Al Pascual, senior analyst for security, risk and fraud at Javelin. “The information they need to commit these crimes is plentiful and cheap.”

2. “I work with you — and sometimes for you.”

The typical organization loses an estimated 5% of annual revenue to its own employees — a global total of $3.5 trillion. Not because of wages, but because of fraud, according to a 2012 report by the Association of Certified Fraud Examiners. That means money lost to inflated expense reports, bribery, extortion, payroll schemes like adding ghost employees, or outright looting of cash. The median loss is about $140,000, according to the ACFE report. Do you own a small business? Those take a bigger hit, about $7,000 more. More than one-fifth of work-related fraud cases end up costing at least $1 million.

Madoff ex-employees found guilty of fraud

Still, companies are building up teams of fraud-hunters to fight back, hiring for risk, compliance and anti-money laundering roles. The ACFE counted more 70,000 members this year, a 40% increase since 2008, the year the financial crisis unfolded, as businesses seek more risk and compliance experts.

Employee fraud doesn’t end at the office. Americans spend $275 billion annually on home improvement repairs — fixing roofs and plumbing, remodeling, building fences, and so on, according to a Harvard university study. Can you trust the handyman? Maybe not. The National Center for the Prevention of Home Improvement Fraud estimates homeowners are scammed out of at least collective $17 billion annually due to prepayment for work that never gets done, overbilling and unscrupulous contracts, among other cases.

The anti-home improvement fraud nonprofit visits about 50 cities nationwide each year to teach people how to protect themselves from contractor scams, for example, warning not to provide more than 10% of the compensation upfront.

“One of the worst cases that we heard was of a homeowner who gave the contractor $240,000, signed the check over to the contractor, and never heard from the contractor again,” says Phae Moore, the group’s executive director. “Once the guy has taken off with your money, there’s not a whole lot anybody can do for you.”

3. “Your personal information can cost me less than a latte.”

A con artist who doesn’t have the skills to hack into your data can buy it for cheap on the black market. A Social Security number can sometimes cost just $3, according to the Office of the National Counterintelligence Executive, a government security agency. And black markets, like traditional ones, follow the principles of supply and demand. In the aftermath of a major data breach, your private data can cost a criminal just a few dollars — or less. In fact, the average price per record dropped from $15-$20 to about 75 cents following large-scale hacks like the one at Target in December that put 110 million customers’ information at risk, according to a report by RAND Corp. and Juniper Networks Inc. (In response, Target offered customers a year of free credit monitoring, as well as a year of identity theft insurance.

Also see: Is identity-theft insurance a waste of money?

Credit cards that are newly stolen fetch $20-$45, according to the RAND report, with that price falling by half in a flooded market. On clearance, cards that are likely already canceled are considered “stale” and cost $2-$7. The underground networks for stolen information can span more than 70,000 people, trafficking hundreds of millions of dollars, according to the report.

It’s an efficient and sophisticated shadow economy. “The black market, once a varied landscape of discrete, ad hoc networks of individuals motivated by ego and notoriety, has now become a burgeoning powerhouse of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states,” it reads.

4. “I can tell when you’re most vulnerable.”

The psychopath and the con artist have at least two traits in common: lack of empathy and enough perception to pinpoint someone’s vulnerabilities or desires and fulfill them.

Scammers often go after people during their darkest periods. An AARP survey released last month found that 66% of the victims of online fraud in New York, ages 18 and older, reported often or sometimes feeling isolated. Fraud victims were also more than 50% more likely to have recently experienced negative life events, like the death of a spouse, family member or close friend, job loss, illness or divorce. Such factors also explain why the elderly may be particularly vulnerable to fraud.

“A lot of con men probably are psychopaths, probably smart psychopaths,” says David Bernstein, a forensic psychologist who runs a consulting firm and has performed hundreds of tests to identify the disorder.

“They’re chameleons. They’ll change and do whatever they need to do to meet that need for the person they’re looking at,” he says. “If they know that this person is lonely, they’ll do everything to show them that they’re going to be good company to them.”

5. “I’m Facebook-stalking you.”

Love when you get all those “happy birthday” wishes on your Facebook wall? Con men do, too.

Your date of birth, hometown and current location are valuable to thieves, for whom social media has become a gold mine for gleaning identity profiles. Posting photos while on a beach vacation might make friends jealous, but criminals are thrilled. That’s a signal that your possessions are waiting unattended back at home.

“Don’t give people too much information about where you are, what you’re doing, what your age is, anything that they could use to cobble together a better picture,” says Adam Levin, founder and chairman of personal-finance website Credit.com, and founder of Identity Theft 911, an education and data breach response company.

Companies like Facebook and LinkedIn say their privacy settings let users determine the audience for each piece of their profiles. Facebook posts can be limited to be visible to just friends or a smaller group of people, and users can also retroactively limit older posts and photos. LinkedIn recommends users only connect with individuals they already know and trust because “it’s about quality, not quantity, and building relationships that matter,” a company spokesman says.

6. “I love when you pay with a debit card.”

All plastic isn’t created equal. If someone goes on a shopping spree with a stolen credit card, the owner is legally only responsible for up to $50, and dealing with the fraudulent purchase is the card company’s job. When a crook has your debit card, though, the entire account could be ransacked. Consumers who wait more than two days could be responsible for up to $500 in unauthorized charges, and those who wait 60 days after receiving the statement with fraudulent charges risk losing more.

In response to this discrepancy, Sens. Mark Warner, a Virginia Democrat, and Illinois Republican Mark Kirk introduced a bill this month proposing that debit cards offer the same $50 liability cap for unauthorized transactions as credit cards.

One legendary ex-conman who cashed $2.5 million in fake checks nearly 50 years ago while assuming at least eight identities says he always opts for credit over debit. “That’s what I use as my most popular form of payment because I don’t have to worry about anybody having access to my bank account,” says Frank Abagnale, who was portrayed by Leonardo DiCaprio in the film “Catch Me If You Can.”

7. “I’m reading your mail.”

Snail mail isn’t dead. The U.S. Postal Service processed and delivered 528 million pieces of mail per day in 2012.

Scammers haven’t ignored old-fashioned correspondence, either. Postal inspectors reported 7,845 arrests and indictments for mail crime in 2012, including 157 suspects for tax fraud. The postal service warns that consumers shouldn’t leave documents in mailboxes overnight. If financial statements or bills don’t arrive in your mailbox when expected, call the institution in case someone intercepted them first. Send sensitive documents using certified or registered mail, or priority shipping, which you can track.

8. “Your trash is my treasure.”

Shredding documents should be a critical spring cleaning routine for as long as people continue to use paper, experts say. Destroy anything that has your personal information — bank statements, pay stubs, canceled checks and receipts should all go. Sensitive documents thrown out intact could land in the hands of a dumpster-diving identity thief.

Also see: Shred or delete these financial documents now

And take a closer look at the shredder you’re using. Straight-cut shredders are too basic, creating a just a one-hour puzzle for a shrewd con man, says Abagnale, the former trickster who now works with the FBI. It would take someone 10 hours to reassemble a piece of paper that’s been cross-cut into diamonds, he says. The safest variety is a micro-cut shredder, which starts at about $150 and chops paper into up to 12,000 pieces per page. “It turns paper into confetti, like that you throw at a wedding, which is impossible to put back together,” he says.

9. “I may be in jail, but I can still steal from you.”

Prisoners filed more than 173,000 fraudulent tax returns while behind bars during the year ended June 30, 2012, according to a report by the Treasury Inspector General for Tax Administration. The problem has escalated over the last decade.

The agency foiled fake filings from inmates requesting a total of $2.5 billion that year. In calendar year 2010, the fraudulent refunds claimed amounted to $757 million, escalating from $68 million in 2004.

The IRS stopped a large portion of the payments, but still issued $158 million of the fraudulently claimed refunds between 2004 and 2010, according to the report. The IRS collects information on inmates from federal and state prisons to prevent this kind of waste, but that data is fragmented and sometimes even wrong. The tax inspector general found in a 2010 report that 12% of the prisoner records on file for the previous year were either missing data or had inaccuracies.

A new law went into effect in January 2013, allowing the IRS to disclose inmate-filed fraudulent tax return information with state and federal prisons, easing prior privacy restrictions with the hope of stemming the activity.

10. “You may never even know I scammed you.”

Deception is part of human nature. And humans detect lies only 54% of the time, according to an American Psychological Association paper published in 2011.

So fraud estimates provide only a partial picture of the scope of the problem, even at best, experts say, given that cons are intended to remain concealed. Cases reported to the Association of Certified Fraud Examiners for the 2012 report went a median of 18 months undetected. And the study found that cheating employees — even when caught — sometimes skate by relatively unscathed: About one-third of perpetrators were not referred to law enforcement for criminal prosecution.

A really good con artist can even end up playing on the other side of the game, helping law enforcement in exchange for life outside a jail cell. Abagnale, opened an anti-fraud consulting firm called Abagnale & Associates after five years in prison. He was released on the condition that he would help the federal government and has since taught at the FBI Academy and testified on scams against the elderly at the U.S. Senate.

For others, the metamorphosis from fraudster to fraud-stopper didn’t go as well. Barry Minkow, whose carpet-cleaning company ZZZZ Best turned out to be a Ponzi scheme that swindled investors out of tens of millions of dollars in the 1980s, spent just seven years in prison after being caught in a 54-count indictment. He was released and founded the Fraud Discovery Institute, which helped the federal government find other scams, while also serving as a pastor at a San Diego church. But this January, he pleaded guilty to cheating his former church and its congregation out of more than $3 million with tricks dating back to 2001.

This story was originally published on April 25, 2014.

Also see:

10 things the baby-product industry won’t tell you

10 things your real-estate agent won’t tell you

10 things the gun industry won’t tell you