For years, the advice was simple: don’t click suspicious links, don’t wire money to strangers, and you’d probably be fine. Scams were the headline threat. Criminals would craft urgent messages, impersonate banks, or deploy fake customer service calls to trick people into handing over personal information. That worked, for a while. The numbers are now telling a very different story.
According to the 2026 Trends in Identity Report released by the Identity Theft Resource Center (ITRC), unauthorized access to computers and mobile devices has surpassed scams as the leading cause of identity theft among adults aged 35 to 64. This is the first time device takeovers have claimed the top spot, and the numbers behind the shift are striking.
The Numbers Behind the Shift
The ITRC report draws on more than 6,000 cases reported between April 1, 2025, and March 31, 2026. In that window, unauthorized device access jumped 78 percent year over year, climbing from 15.3 percent of all identity compromises to 27.2 percent. Meanwhile, scams involving the sharing of personal information dropped from 43.1 percent to 36.1 percent.
That decline in scam numbers is not the good news it might seem. Criminals have not become less active. They have become more efficient. Rather than spending time convincing someone to share their bank details over the phone, attackers are now finding it easier to simply take over a device and extract everything themselves.
The report also highlights a troubling escalation in the complexity of attacks. Nearly 26 percent of victims are now dealing with two or more identity crimes simultaneously, up from 23.5 percent the year before. Identity theft is no longer a single-event crime. For a growing number of people, it is an ongoing crisis.
How Attackers Are Getting Into Your Devices
The shift toward device-based attacks is not happening by accident. It reflects a broader evolution in criminal tactics, driven in part by the sheer volume of valuable data now sitting on personal smartphones and computers.
Infostealer malware is one of the primary tools behind this surge. Programs like Raccoon, Redline, and Vidar are designed to quietly harvest stored credentials, browser passwords, cookies, and session tokens from infected devices. Once installed, they operate in the background without triggering obvious warnings. By early 2026, nearly 2.5 million stolen accounts were already listed for sale in underground marketplaces, a supply that lets criminals skip the hacking step entirely and buy their way into compromised accounts.
Credential stuffing has also become more automated and more scalable. Attackers take large batches of stolen username and password combinations and test them against dozens of platforms at once. If someone reuses the same password across multiple accounts, a single breach can cascade into losses across banking apps, email accounts, and cloud storage.
SIM swapping, where criminals convince a mobile carrier to transfer a victim’s phone number to a device they control, remains a serious threat, particularly because it allows attackers to intercept SMS-based two-factor authentication codes. Once they own a phone number, many password reset processes become trivially easy to bypass.
Mobile malware delivered through fake apps, malicious links, or compromised Wi-Fi networks is also on the rise. A device that looks perfectly normal on the outside can be quietly forwarding keystrokes and screenshots to someone halfway around the world.
Why Scams Have Not Disappeared
It is worth being clear: scams have not gone away. The ITRC report shows they still account for 36 percent of identity compromises. What has changed is the relative prominence of device attacks, partly because awareness campaigns and media coverage have made more people skeptical of unsolicited calls and messages. Scammers still find success, particularly among older adults and people who have not been exposed to those campaigns, but the easy wins are getting harder to come by.
Device attacks require little social engineering. They scale better. And in a world where most people carry a device loaded with banking apps, saved passwords, and personal photos, the potential payout from a successful device compromise is enormous. Global losses from identity fraud exceeded $50 billion in 2025, and early indicators suggest 2026 will surpass that figure.
What You Can Actually Do
The numbers are discouraging, but the protective steps are not complicated. They do require consistency.
The single most effective thing most people can do is stop reusing passwords. A password manager takes almost all of the friction out of maintaining unique, strong credentials across every account. If one site is breached, the damage stays contained.
App permissions deserve more attention than they typically get. Most people grant apps access to contacts, location, microphone, and camera without much thought. Reviewing and revoking unnecessary permissions regularly is a simple habit that limits what malicious software can access if a device is ever compromised.
Software updates matter more than ever. Many infostealer programs exploit known vulnerabilities in operating systems and apps that have already been patched. Keeping everything updated closes those doors. Enabling automatic updates is the easiest way to make this a non-issue.
Phishing remains the most common initial access vector for device compromise. That suspicious link does not always arrive via email. It shows up in text messages, on social platforms, and inside messaging apps. Treat any unsolicited link with suspicion, regardless of the channel it arrives through.
For those who rely on SMS codes as their second authentication factor, switching to an authenticator app is worth the small effort involved. SIM swapping cannot intercept codes generated on the device itself.
Businesses face a version of this same problem, scaled up. Organizations need to think beyond perimeter defenses and invest in monitoring for signs of compromised employee devices, particularly those with access to sensitive systems or customer data.
The Takeaway
The ITRC’s 2026 findings mark a real inflection point in how identity crime works. The phone and laptop you carry are now more likely to be the point of entry than a phone call or a fraudulent email. That changes the nature of the threat, and it should change how people think about protecting themselves.
Staying safe is less about being skeptical of strangers and more about making your devices a harder target. The tactics exist. The question is whether enough people put them into practice before the numbers get worse.
