Payments professionals who suspect fraud is getting significantly worse were confirmed in their suspicions Wednesday with a report indicating identity fraud hit an all-time high in 2016, affecting some 15.4 million U.S. consumers.

That’s up nearly 18% from 2015 and represents a one-third increase from the 11.6 million robbed of their identities just five years earlier, according to Javelin Strategy & Research, which released its annual ID fraud study, sponsored by identity-protection firm LifeLock Inc.


Javelin’s researchers, however, were surprised not so much by the sharp rise in overall ID fraud as by the stubborn persistence of point-of-sale card fraud, which the ongoing rollout of EMV apparently did little to reduce. “What caught us off-guard is that card fraud is up across the board, whether card-not-present or point of sale,” Al Pascual, senior vice president and research director at Javelin, tells Digital Transactions News.


Contributing to POS fraud were several factors, including the fact that, as late as September, only 36% of merchant locations were capable of processing EMV chips, says Javelin’s report. As of December, Visa Inc. said 39% of all merchant locations accept chip cards. Another problem was that merchants that were equipped to accept EMV cards in many cases ran mag-stripe cards instead to speed up wait times or avoid technical glitches, a process known as fallback.


“We expect there was a significant amount of fraud from fallback,” says Pascual. “Criminals were out there using every type of card they could before they were replaced by EMV.” Overall, the incidence rate—the percentage of consumers affected—of POS card fraud rose 8%.


But card-not-present fraud shot up, as well, even more than the Javelin researchers expected. Here, the incidence rate increased 42%, to 3.42% of consumers. “We were thinking [the increase] would be just better than 10%,” says Pascual. But fraudsters deployed automated technology like bots to place high-speed, high volume orders and overwhelm online merchants’ fraud teams. “If you have only four people for manual reviews, something’s got to give,” notes Pascual.


All told, fraud on what Javelin calls existing card accounts affected 5.07% of accounts in 2016, up from 4.45% the year before and from a recent low of 3.14% in 2012. If there was any good news, it’s that fraud losses grew more slowly, totaling $8.8 billion, up just 3.5% from 2015 and down from $11.5 billion in 2013. That total for 2016 represents more than half of the $16 billion in total ID fraud losses Javelin found.


Helping to fuel account theft are trends such as takeovers of mobile-phone accounts and harvesting of information casually posted by consumers on social media. Hijacked mobile accounts, for example, allow criminals to intercept one-time passwords often used by companies and financial institutions to secure account access for legitimate users. “Among all accounts taken over in 2016, mobile-phone accounts were nearly twice as likely to be taken over than they were the year before,” notes Pascual.


And, through breaches and by scanning unprotected social-media posts, fraudsters can garner personal information that unlocks online accounts where access is based on so-called knowledge-based information. Consumers appear to be increasingly willing to post such data as dates of birth, schools graduated from, and Social Security numbers, Stephen Coggeshall, chief analytics and science officer at LifeLock, tells Digital Transactions News. “Consumers should be careful about the information they share online and whom they friend,” he warns.