Everyone is victimized or only the naïve? The conflicting discourses surrounding identity theft victimization

Identity theft impacts millions of North Americans annually and has increased over the last decade. Victims of identity theft can face various consequences, including losses of time and money, as well as emotional, physical, and relational effects. Scholars have found that institutional messaging surrounding identity theft places responsibility on individuals for their own protection, which can mask institutions’ roles in identity theft’s prevalence. This paper presents findings from interviews with Canadian victims of identity theft and argues that conflicting discourses surround this crime. While identity theft victimizations are viewed as inevitable in the digital age, victims are often simultaneously stereotyped as old, naïve, or non-technologically savvy. Within this context, this research also finds that victims can express varying degrees of self-blame for having provided perpetrators with information or for having not better protected themselves. Finally, this paper argues that victims’ embarrassment and self-blame may impede help-seeking and reporting.


Introduction
Identity theft impacts millions of North Americans annually: approximately 9% of American  and 7% of Canadian (Sproule and Archer, 2008) adults are victimized annually according to the most recent available estimates in each country. Although many identity theft victims recuperate losses, leading to a misnomer of identity theft as a victimless crime, individual victims can face a range of emotional and physical consequences in addition to losses of time and money (Golladay and Holtfreter, 2017;Randa and Reyns, 2020).
Despite these consequences to a significant portion of the population each year, discourses surrounding identity theft encourage individual consumers to assume responsibility over their own protection (Cole and Pontell, 2006;Monahan, 2009;Whitson and Haggerty, 2008). When victimized, however, there is reason to believe that individuals may be stigmatized, as past research suggests that victim-blaming discourses surround other forms of fraud (see Cross, 2015). This paper first juxtaposes two main themes that emerged from interviews with victims of identity theft in Canada: that identity theft is an inevitable inconvenience in contemporary life and that victims of identity theft are naïve, old, non-technologically savvy, or otherwise blameworthy. The findings suggest that despite acceptance that breached information and misused accounts are inevitable, individuals who are victimized still face a stigma as having insufficiently protected themselves from victimization. Within this context, victims of identity theft may self-blame to varying degrees, including for trusting perpetrators or for failing to secure their personal information. Finally, this paper argues that victims' self-blame and embarrassment can impede help-seeking, which has significant implications for victim assistance both in Canada and internationally.

Identity theft and fraud in North America
Identity theft refers to the combined act of the theft and misuse of another person's identity information (McNally and Newman, 2008). Technically, identity theft refers to the theft or illegal possession of the information while identity fraud refers to its misuse; nonetheless, the term identity theft is used interchangeably since the latter usually depends on the former (McNally and Newman, 2008).
Identity theft was first criminalized in the United States in the late-1990s and in Canada the following decade (Archer et al., 2012). Scholars have noted that the criminal codification of identity theft in the United States rendered a set of differing forms of fraud into a single crime category that has since been labeled the fastest growing crime (Cole and Pontell, 2006;Monahan, 2009). Although the forms of fraud included in the label have significant differences, this codification unites these crimes as a shared symbol in the view of the public (Monahan, 2009). Identity theft can originate in numerous ways. For example, victims' information can be stolen and resold, breached through hacks of companies, or taken in phishing scams, where victims are viewed as having an active role in the incidents (Golladay, 2020). Moreover, identity theft can occur both offline or online, and following victimization, many victims are uncertain of how their information was obtained Turville et al., 2010).
In the United States, the National Crime Victimization Survey-Identity Theft Supplement (NCVS-ITS) collects information on victims of identity theft every 2 years. The most recent estimates from 2018 indicate that 9% of adults are victimized annually (Harrell, 2021: 1), which is a percent lower than 2016 (Harrell, 2019: 1) but an increase from 7% of adults in 2012 and 2014 (Harrell, 2017: 1;Harrell and Langton, 2013: 1). In Canada, there have been no representative surveys of identity theft victims since 2008, when Sproule and Archer (2008: 3) estimated that 1.7 million, or just under 7%, of Canadian adults were victimized in the previous year. Since then, police-reported rates of identity theft have been increasing in Canada (Moreau, 2021). The rising cases of identity theft have been attributed to the increased use of digital payment systems (Anderson et al., 2008), and most identity theft incidents in the United States involve the misuse of an existing account, including credit cards and banks .
The consequences of identity theft vary considerably. Most victims of identity theft recuperate financial losses by contacting banks, credit card companies, or other companies (Copes et al., 2010), with only 12% of victims paying out-of-pocket costs in 2018 (Harrell, 2021: 10). However, resolving identity theft takes time, and while over half of incidents are resolved in under a day, other victims may spend months dealing with the issues , and some are forced to miss work or cancel plans to resolve incidents (Identity Theft Resource Center, 2018). Moreover, identity theft often produces emotional consequences including anxiety, anger, and feelings of vulnerability and violation (Identity Theft Resource Center, 2018;Randa and Reyns, 2020). Some incidents can result in relational issues including familial stress (Identity Theft Resource Center, 2018), and some victims may experience physical problems such as difficulty sleeping, headaches, and pain (Identity Theft Resource Center, 2018;Randa and Reyns, 2020). Considering these consequences combined with its high prevalence, identity theft impacts millions of victims annually in various ways.

Fraud victimization: responsibility and blame
Several scholars have examined how discourses surrounding identity theft protection place responsibility on individual consumers. Discussions of identity theft prevention tend to focus on the individual's role rather than structural, policing, or policy solutions (Cole and Pontell, 2006;Monahan, 2009). For example, Cole and Pontell (2006) observe that public messaging about identity theft tends to focus on the practices that individuals can take to protect themselves rather than some of the problematic ways that corporations and governments use identity information. Similarly, Monahan (2009) argues that the responsibility that is placed on individual consumers for self-protection against identity theft implies that citizens should not rely on the state for support, despite governments and private companies routinely using vulnerable information systems. Whitson and Haggerty (2008) examine North American government, law enforcement, and financial sectors' public messaging about identity theft, and they also find that the language places responsibility on individual consumers. They observe that individuals are simultaneously framed as responsible for identity theft prevention and as the actors in charge of resolving victimization if it occurs (Whitson and Haggerty, 2008). Moreover, they note that many of the practices recommended by these institutions exceed reasonable steps for one individual to manage along with the many other risks in modern life (Whitson and Haggerty, 2008).
While the self-protection discourse implies that identity theft victimization is preventable with the appropriate measures, it is simultaneously framed as inevitable (Cole and Pontell, 2006). Whitson and Haggerty (2008) find that institutions whose messaging positioned identity theft as individuals' responsibility sometimes also framed identity theft as inevitable, even when suitable prevention measures are implemented. They argue that the messaging implies to citizens that "everyone is at risk; everyone will eventually be victimized, so here is what everyone should do to help themselves" (Whitson and Haggerty, 2008: 580). Cole and Pontell (2006) observe that although this framing may be similar to that of other emerging and technological crimes, this is not how traditional crimes are presented, "media accounts of murder and robbery, for example, are not generally followed by a set of bullet-point recommendations for how the reader or viewer can avoid becoming a victim" (p. 141).
When the discourse presents victims as those who have failed to protect themselves appropriately, it follows that victims can be blamed for their own victimization (Cole and Pontell, 2006). While victim blaming surrounds victims of gender-based violence, including intimate partner (Meyer, 2016) and sexual violence (Grubb and Turner, 2012;Randall, 2011), scholars have also found victim blaming and self-blame among victims of white-collar crimes (Shover et al., 1994). Moreover, there is evidence of victim-blaming discourses surrounding other forms of fraud, as well as embarrassment and self-blame by victims. In a study of fraud victims in the United Kingdom, Button et al. (2009) reported that some victims blamed themselves for incidents and reported embarrassment. More recently, Cross (2015) found pervasive blame among a sample of Australian seniors who received phishing, advance-fee, and romance fraud e-mails; this sample comprised both those who responded to e-mails and those who did not. Cross (2015) found that victim-blaming discourse surrounded victims of online fraud and presented victims as greedy or gullible for responding to the e-mails. Similarly, Burgard and Schlembach (2013) observed self-blame in their study identifying the stages of online fraud victimization. Many of the participants were victim to eBay scams, and some expressed anger toward themselves (Burgard and Schlembach, 2013). While victims of these types of fraud are often viewed as having an active role in their victimization since they must respond to the perpetrator, this view tends to downplay the level of sophistication involved in fraudsters' techniques (Button and Cross, 2017;Cross, 2015;Drew and Cross, 2013).
There is evidence that these social attitudes toward victims of fraud have consequences for victim assistance. Button et al. (2009) found that some fraud victims opted not to report to police or other institutions due to feelings of shame and embarrassment, while other victims stated that law enforcement had no role in responding to their incident since it was their own fault. In the study of seniors, Cross (2015) notes that both victims and non-victims used humor to trivialize fraudulent e-mails, which can function as a barrier to help-seeking. Similarly, Burgard and Schlembach (2013) found that some victims of fraud expressed anger toward themselves, which led them to avoid reporting to police, other institutions, and even friends. Finally, in a more recent study of online fraud victims, Cross (2018) draws on Christie (1986) to argue that online fraud victims are not ideal victims, primarily because they are often framed as blameworthy. Christie's (1986) ideal victim refers to those who are most likely to be accepted by broader society as true victims: typically, the weak, young, or old, and those who are innocent and blameless. For fraud victims, this lack of conformity to depictions of ideal victims can cause others to trivialize the harm a victim faces and can lead to difficulty accessing and receiving support (Cross, 2018). In sum, there appears to be a pervasive victim-blaming discourse surrounding certain forms of fraud, and it is expected that some identity theft victims may experience similar blame.

Current focus
The purpose of this paper is to present two main themes discovered in interviews with victims about identity theft in North America: that identity theft is understood as inevitable and that victims are often viewed as naïve or non-technologically savvy. This research stems from a broader study focusing on victims' experiences with identity theft and their reporting decisions following victimization. During interviews, participants often referred to other victims of identity theft in stereotypical manners, yet they also often expressed that identity theft was inevitable. In the context of past research that finds that identity theft messaging from governments and financial institutions presents it as inevitable while placing responsibility for protection on individual consumers, this research is important for displaying how these discourses manifest in the everyday experiences of identity theft victims.

Methods
This study draws from interviews with 20 victims of identity theft in Southern Ontario that took place in 2019 and 2020. Participants were recruited and interviewed in multiple ways: first, participants were recruited through posters displayed at not-for-profit family and financial counseling centers in Southern Ontario, whose goals of financial education and literacy aligned with the motivations for this study. Second, recruitment posts were made on the social media and news site, Reddit.com. Posts were made intermittently on sub-communities, or subreddits, for cities in Southern Ontario. Finally, participants were recruited through an internal posting at the researcher's university. Interviews were conducted both in person and over the phone.
Inclusion criteria for the study were derived from the NCVS-ITS (United States Department of Justice, 2021). The posts indicated that participants would be eligible for the study if they had experienced the misuse of an account, including credit card, banking, or other; the creation of a new account in their name; or any other fraudulent misuse of their personal information.
Due to concerns with participants' comfort discussing personal details following identity theft, exhaustive demographic information was not collected. Twelve males and eight females participated in the study. Most of the participants (85%) were between 18 and 40 years of age, which may reflect Reddit.com's younger demographic (Shatz, 2017). The most common main activities of the participants were students and working in information technology or marketing. Participants faced a range of identity theft incidents, with some experiencing multiple previous victimizations. In total, participants described 28 incidents of identity theft. Most of the identity theft incidents described were the misuse of an existing account (86%), with some new account victimizations (7%) and other fraudulent misuses of personal information (7%).
The interviews ranged from 22 to 66 minutes in length, with a mean of 39 minutes. Each interview involved a narrative component and a flexible open-ended phase about participants' experiences and their general opinions about identity theft. First, participants were asked to describe the story of a time that their personal information or account was misused without their consent. In this phase, the interviewer provided prompts for the participant to continue, such as asking what happened next. When participants indicated that the story was complete, they were asked if there were any other times that they had experienced the misuse of their accounts or information.
Following this narrative phase, participants were asked follow-up questions based on their story, including questions about their reporting decisions if these were not previously discussed. An active interviewing approach (Holstein and Gubrium, 1995) was embraced to try to better understand participants' assumptions about identity theft incidents. At times, this included the interviewer playing dumb or playing devil's advocate to try gauge participants' underlying assumptions. The interviews concluded with general discussions about participants' perceptions of identity theft and fraud in society, including their understanding of responsibility for preventing and responding to account fraud and identity theft.
Analyses of interview data involved multiple stages inspired by grounded theory coding (Charmaz, 2014) and the constant comparative method (Glaser and Strauss, 1967). Line-by-line coding was first performed with a focus on actions participants described in order to avoid analyzing data based on prior conceptions. Next, focused coding involved revisiting all codes and comparing those that had arisen multiple times or presented opposing perspectives by participants. NVivo was used to facilitate organization and coding. This research was reviewed and approved by the university's office of research ethics and all participants were assigned pseudonyms.

Results
The interviews began with participants recounting the details of the identity theft incidents that they had experienced, then continued with follow-up questions and a general discussion of identity theft in contemporary society. In these discussions, two conflicting themes emerged concerning identity theft victimization: that it is inevitable and a minor inconvenience to be anticipated, and that victims of identity theft are expected to be naïve, non-technologically savvy, old, or otherwise blameworthy. After discussing these contradictory themes, this paper will then describe how some participants blamed themselves or felt embarrassment for their own victimization. Finally, the paper will discuss how self-blame and embarrassment can impact victims' disclosure of incidents and outline evidence that stigma surrounding identity theft victimization can impede help-seeking.

Inevitability
Victims of identity theft frequently addressed how the misuse of accounts and identity information were inevitable. At times, this arose when victims framed the incidents they experienced as minor inconveniences that should be expected in modern life. For example, Phoebe is a student who was victim to credit card fraud for the first time during exams. When discussing the incident, she said, 'It was just kind of an inconvenience, right? It's not like I lost a house or something, I just ... especially if it's during exams, it's like, "I don't need this" [laughs]'. Similarly, Jake is a marketing professional who had his wallet taken and his credit cards misused. Jake said, As long as you're not committing fraud and, you know, phoning in fake things like this then you shouldn't have any problem, you know, recovering your money. And it's a bit of a pain in the ass to have to replace your cards, but there's a lot worse that can happen. Even those victims who had more complex cases sometimes described incidents as minor inconveniences. Regan is an entrepreneur whose phone was fraudulently ported (or transferred) out to another carrier. At the same time, she had thousands of dollars in fraudulent charges made through an online payment account. Regan expressed, Honestly, it was stressful the day of, but I had complete faith in the companies because it was clearly not my fault, the addresses didn't match up with any of the addresses I had on file so they knew it wasn't me. And they were able to deal with it.
In these cases, participants framed these incidents as minor inconveniences, suggesting identity theft is to be expected.
When the interviews proceeded to more general discussions, participants were more overt in describing the inevitability of identity theft. Some participants discussed inevitability due to the ubiquity of Internet databases and modern payment systems. For example, Peter is a student whose Amazon account was misused after his login information was leaked from a separate company. Peter expressed that 'information leakage is, I think it's a very ordinary thing nowadays'. Regan echoed the perspective that identity theft is inevitable when shopping and using personal information online: 'there's always some form of risk when you're doing anything online, because ... unless you're one of the most skilled firewall builders in the world, there's always going to be some modicum of risk for online stuff.' Similarly, Logan had his credit card misused internationally, and although he was confused by how the incident originated, he accepted it as inevitable: I think I kind of include it in the cost of doing business in a digital age. It's like it's bound to happen at some point. You know at some point, I mean, the digital currency will be hacked and the credit card account card will be compromised. And it's, you know, I think just a fact of life.
These participants understood identity theft as inevitable because of the electronic payment systems and online databases used today.
Finally, some participants' discussions of identity theft's inevitability related to discourses of individual responsibility. For example, Hunter, a young professional who experienced credit card fraud, expressed, 'you're always aware that it could happen again, but I think just being aware and trying to reduce the circumstances that it could happen in'. Ian, who was a victim of banking fraud, also discussed the inevitability of identity theft as a reason that individuals need to be responsible. Ian first said, We have to do this stuff in today's day and age: we have to do online banking and transactions. But ... all that information is being stored somewhere on a server, and that server is going to be cracked at some point, and we have to be at least prepared for it ... that it's going to happen. Eventually, at some point.
Later, Ian added, 'I think it's responsible to know, as a consumer, as a person, as a user, that your information will get used. It will get stolen, at least you have to know that it will get monitored.' Similar to Cole and Pontell's (2006) and Whitson and Haggerty's (2008) discussions about institutional messaging, these examples illustrate that victims may understand identity theft as both inevitable and individuals' responsibility for protection. Finally, Courtney, who was the victim of new account fraud and had a dozen credit products opened in her name, expressed, I just sort of accept that it's going to happen and there's not much that we can do about it. Because I had thought I was pretty good, obviously I wasn't good enough, um, and that's pretty obvious now. But, you know, it happens to lots of different kinds of people, and you hear more about it, or I'm paying attention more, and I just am not sure that ... how much can be done to prevent it.
In sum, many participants viewed identity theft as inevitable in modern life. Moreover, these final examples demonstrate how victims can perceive identity theft as both inevitable and their own responsibility for preventing.

Stereotypical victims of identity theft
Despite this widespread understanding of identity theft as inevitable, participants frequently referred to other victims of identity theft using stereotypical descriptors as old, naïve, or non-technologically savvy. These depictions imply that identity theft victims have some responsibility for their own victimization, either by falling for a scam or by not knowing how to protect oneself. The interview guide did not include questions that asked who participants viewed as typical victims of identity theft. Rather, participants often referenced these stereotypical descriptions of victims when discussing how they never thought these incidents would happen to them, when they compared themselves to other victims, and when they referenced well-known Canadian phishing scams.
A common question that elicited stereotypes of identity theft victims was 'Prior to this incident, was this something that you gave much thought?' In many cases, when asked whether they had previously thought about identity theft victimization, participants referred to, or implied, conceptions of typical victims as naïve or foolish. When Nolan, a university student, was asked this question, he replied, Absolutely not. I was like, you know what, that's never going to happen to me, like, I'm pretty good with my stuff, kind of thing, like I'm not really worried ... and you're like-honestly most people don't think they're like dumb, basically, you're like, 'Oh I would never fall for like a scheme like that, or a scam or something', and then it happens to you, and you're just like, 'Oh shoot, like that really sucks'.
Similarly, Grant, whose credit card was misused through a food delivery application, expressed, I hadn't really like thought that I would be someone who would have their money stolen, because I kind of, incorrectly assumed that like, you need to be kind of naïve to fall victim to this sort of a scam. Like, I thought that I was very careful with my credit card information, you know the site assured me that it was secure, and that things were stored in a secure area.
The final sentence of this quote refers to Grant's experience and recognition that all it takes to be victimized is for a trusted website or application to be compromised. Both of these quotes illustrate that prior to the incidents experienced, Nolan and Grant assumed that identity theft victims were likely naïve. Edward, who is in his late-20s and identified as technologically savvy, stated, 'It never happened to me and I didn't think it could ever happen to me. I'm usually very cautious. I'm usually like security-minded, like, you know, careful'. Although not as explicit as the prior examples, Edward also implied that being technologically savvy and careful should function as protective factors against victimization.
This belief that identity theft would not happen to individuals who are cautious or technologically savvy arose elsewhere in interviews. Toward the end of Jake's interview, he was asked if there was anything else that he would like to discuss, and he responded, I mean, the only thing that jumps to mind really is, I'm one of those people who definitely considered that I would never fall victim to, like an online fraud kind of thing. Um, like I mean, maybe it's part of the age thing ... but, the thing is that, unfortunately, a lot of stuff around this is still stuck in, you know, in real life, like, we're not a cashless society, you need your cards, right?
Although its prevalence suggests that most individuals would be victim to some form of identity theft in their lifetime, it is unsurprising that many young victims do not give it thought before experiencing an incident. The significance of the unexpected nature of identity theft is that it is tied to assumptions about who would be an expected victim. In these cases, individuals associate risk for victimization with being naïve or reckless, while assuming that knowledge of technology and security act as protective factors against identity theft. Nonetheless, Jake's quote illustrates that the assumption that only a certain type of person could be victimized is incompatible with the framing of these incidents as inevitable. Grant, too, alludes to this incompatibility, since he acknowledged that he 'incorrectly assumed' only naïve individuals are victimized, when all it took for him to be victimized was to trust a company with his credit card information.
The expectation that those who are naïve are typical victims of identity theft is also tied to the common perception of older individuals having difficulty using technology. When discussing how he resolved the issue efficiently, Grant said, I feel like I'm educated and I'm technologically savvy, whereas I feel badly for people who are maybe like, um, older than I am and who don't necessarily have those skills or who, you know, are more um, what's the word I'm looking for, more um, more prone to be victimized.
In this instance, Grant suggests that age and technological skills not only play a role in resolving the incident, but also in its prevention. Titus is a software developer in his early-30s who experienced credit card fraud for the first time the day before the interview. At the conclusion of each interview, the participants were asked how they would like to be described. With Titus, this question led to an illuminating exchange about the assumptions of common victims of identity theft: Interviewer: Is there a specific way you want to be described? Titus: I suppose if you describe me as a software developer, it might give weight to the fact that I wasn't being like haphazard online and stuff like that. You know, that I have some understanding of technology. Interviewer: Now we're going to have to dig into this statement, is there some sort of assumption here that the people this happens to are in some way not tech-savvy? Titus: I mean, yeah. I think that perception does exist. You would say, 'Oh it's happening to, like old grandmothers'.
This exchange demonstrates that participants often compared their experiences to their prior conceptions of identity theft victims. In this case, Titus viewed his circumstances as a demonstration that these incidents can occur even to those who are cautious.
Finally, participants frequently referenced a common scam in Canada where perpetrators pose as the Canada Revenue Agency (CRA) on telephone calls or voicemail messages. These scams tell potential victims that they owe money to the CRA and threaten legal recourse if the victim does not reply. Several participants referred to how naïve one would have to be to fall for such a scam. Grant shared the story of an individual he knew who was victim to a CRA scam, saying that the individual: was a victim of one of those telephone scams ... where they call and they say, 'We're calling from the Canada Revenue Agency and you need to remain on the phone or we're going to, you know, dispatch the police to your house'. So like, we were all kind of like, 'You really thought that was Canada Revenue Agency, like are you serious?' [laughs] Um, but anyway, he's in his sixties.
Grant's use of humor in reaction to describing someone falling for a CRA scam appears to be common (see Cross, 2015). Furthermore, immediately after the laughter, Grant justified the incident, in part, in terms of the victim's age. While descriptions of the CRA scam can construct victims as partly responsible, participants also showed an understanding that vulnerable populations are likely targeted. Courtney discussed such scams and said, but this is Canada and it's not as though if I don't press 1, somebody's going to show up and arrest me and throw me in jail. Like, they just seem so extreme. But then, like, people fall for them, right ... and the people who fall for them are usually pretty vulnerable people, like they're older, or you know whatever ... and I mean, people wouldn't keep doing them if they didn't work. So they must work ... I just don't have any personal experience with them myself, and it's, you know, sometimes you hear the stories of what the message is or what the conversation is people will have with the people on the other line, and like I said, I can't decide if it just seems so ridiculous, or if it's, you know, I feel really bad for the people that get pulled into them.
At the opposite extreme, younger individuals can also be viewed as naïve and financially irresponsible. Peter, whose Amazon account was misused after a separate company was hacked, described that he had previously experienced an incident when he was younger. In the earlier incident, he provided information to a website that promised in-game currency for a video game. After sharing this second incident, Peter said, 'That happened too long ago, it was not really related, but I hope it will help with your study and how young people would believe everything they see online'. Later, Peter observed, It was kind of funny how when I was young, I didn't know anything, my account was hacked and even when I get older and I know how to be cautious, and how to protect my information online, I still get hacked somehow.
Peter's case echoes previous associations of naivety with identity theft while highlighting that the association is not exclusive to older individuals. Furthermore, by identifying the contrast between the two incidents he experienced, Peter suggested that these incidents are becoming increasingly inevitable.
This section demonstrates that victims often conceive of typical victims of identity theft as naïve, older, or otherwise vulnerable. Even without specifically asking how participants thought about other victims, they volunteered these depictions when describing how they never thought identity theft would happen to them, when comparing their incident to others, or when discussing scams more generally. These examples illustrate that victims are often seen as having some blame in their own victimization by failing to adequately protect themselves or by falling for an avoidable scam.

Self-blame
Tied to depictions of victims as responsible for their own self-protection, some participants blamed themselves for their role in the incidents they experienced. Participants blamed themselves for several reasons, including for trusting the perpetrator, providing information to the perpetrator, or not securing their information sufficiently.
Both Benjamin and Chandler were victimized by parents, and both expressed that they had some responsibility for the incidents. These incidents involved the perpetrator misusing the victim's information based on knowledge they had from their pre-existing relationship. Chandler, who was victim to bank account fraud, expressed that 'It's both of our faults. It's my fault for letting her know my PIN [Personal Identification Number] and it's her fault for using it without my permission'. Despite letting her mother know her PIN, the expectations based on their relationship were that the PIN would not be misused and that Chandler's debit card would not be taken without her permission.
Benjamin expressed similar self-blame. In his case, the misused funds were received from a student loan. During the interview, he was asked whether he thought there was more the student loan issuer could have done to prevent cases like his. Benjamin expressed that he did not know, then eventually said, 'in a way like, I kind of almost let this happen, so ... I don't know what they could do besides telling me-like controlling my autonomy which is ... I don't know about that'. Later in the interview, Benjamin expressed that 'It felt like a three strikes and you're out moment for me and that was like the first strike ... when, you know, one strike is enough'. Both cases illustrate that when a family member is the perpetrator, victims can blame themselves for trusting the family member or for not securing their information adequately.
In other cases, participants who did not know their perpetrators sometimes blamed themselves when they provided information to the perpetrator or allowed their information to be accessed easily. Some of these cases involved phishing scams, similar to the research by Cross (2015). Describing the incident that occurred to him at a young age, Peter said, 'It was because of me being too naïve and young and believing those websites'. Similarly, Hunter's most recent experience with credit card fraud was the result of a phishing scam, where someone posed as a company asking them to update their credit card information. Hunter expressed, the second one I just felt stupid, like I was like, 'How could this have happened?' Like, it looked so legitimate and then, I don't know ... like, you know when you hear about people, older people and kind of like CRA things happening to them, I was like, 'Oh my gosh, like, I feel like, I'm an old person, who's struggling [laughs] with this'.
In this quote, Hunter compared themselves to victims of the common CRA scam discussed previously. This illustrates how victims may compare themselves and their experiences to typical conceptions of victims, which can inform self-blame. Similarly, the creation of a line of credit in Dalton's name resulted from a phishing scam where he received a text message alleged to have been from a government agency asking him to update his information. He placed some blame on the government agency that was being personated, but also partly blamed himself. When asked whose responsibility the incident was, Dalton said, 'To some extent, it was mine'. Dalton also expressed how the incident impacted him, stating, 'First of all, I learned a lot of lessons, mostly about sharing my personal details'. This implies some self-blame given that Dalton felt that he could have better protected his personal details.
In this sense, one need not be fully accountable for one's victimization to be blamed for an incident. Several participants blamed other factors for their victimization yet highlighted further protective measures that they could have pursued, thus assigning some responsibility to themselves. For instance, Nolan expressed embarrassment over having his credit card taken and misused. When asked whose responsibility these incidents were, Nolan replied, Honestly it's tough, because like you can't really put it on the bank, because like, at the end of the day like, it's the same-well it's not the same, but like in a similar light to if I leave my wallet sitting on a bus, and someone takes 50 dollars out of my wallet, I can't go to the bank and be like, 'Someone took my 50 dollars', it'd be like, 'Well, you left it there'.
Similarly, several participants observed that they did not check their banking statements regularly, which can lead to unauthorized charges going unnoticed. Hunter expressed that they were a student when they first experienced credit card fraud: so I wasn't really closely paying attention to my statement at-like all the time, so I think that was part of the problem, like I wasn't checking it every single week, being like, 'Oh yeah, I made that purchase, I made that purchase'.
Following the incident, Hunter sought advice from their parents and stated that their parents 'were like, "Why aren't you paying better attention to your statements?"' In these examples, victims may not be framed as fully responsible but may acknowledge that they could better prevent or respond to identity theft.
Moreover, others expressed actions that they could have pursued before the incident, implying some level of preventability. Amanda, who believed her login information was compromised when using a public computer, offered advice to other potential victims: 'Maybe not use the same password for all your accounts. Because it makes you more vulnerable and ... don't leave anything unattended ... like if you're using a shared device, always sign out'. Finally, several participants referenced their own responsibility for incidents in the context of passwords. Regan, who had multiple accounts misused including her phone account, explained that it was 'because I didn't have a very secure PIN for my phone'. Similarly, Peter, who said the first incident was a result of his naivety, expressed that he could have secured his information better before the more recent incident: 'The thing is, many of my accounts [were] used with the same password, so I realized that I messed up big time'.
Across these cases, participants described several protective actions that they believed they could have implemented to better prevent identity theft or to notice the incident quicker. Some victims blamed themselves for putting too much trust in a family member, for responding to a phishing scam, or for insufficiently protecting their information. The self-blame experienced relates to both common depictions of identity theft victims and to discourses of individual responsibility, since victims are often viewed as naïve for trusting someone that they should not have or as inadequately able to protect themselves.

Embarrassment, self-blame, and help-seeking
Tied to the themes of self-blame and perceptions of victims as naïve or blameworthy, several participants expressed that they were selective in disclosing incidents to family or were concerned when reporting to institutions. Amanda described that after her social media account was breached and misused, she was selective with disclosing the incident. When she was asked if she sought advice from anyone, Amanda replied, 'I think I talked with my friends mostly because I know that, like, my mom would just not take it seriously [laughs]. So, yeah, it was like mostly my friends'.
Similarly, Hunter experienced multiple incidents of credit card fraud, the most recent of which resulted from a phishing scam. When asked about their conversation with their parents in the aftermath of the phishing scam, Hunter expressed, 'Yeah, I mean, like, in the second incident I just kind of told them, like, what happened again ... um, and then afterward they were just laughing at me about it, um [laughs] ... but luckily, like in a supportive way, but ... ' Finally, Nolan's card was misused at a bar, and he expressed embarrassment related to the incident. When discussing disclosing the incident to others, Nolan stated, 'I didn't want to talk to my mom, because she'd be like, "You're an idiot", [laughs], like she wouldn't be like mad at me, but she'd be like, "That's disappointing"'.
Moreover, fear over anticipated reactions also acted as a barrier for Nolan contacting his bank to recover his money. He did not reach out right away, stating, 'I didn't like report it right away, because I was like, "Okay like, I don't know how it's going to look"'. Eventually, he contacted them, but described his hesitance further: I kind of called in feeling like a little embarrassed, like oh, this is kind of embarrassing, like I'm a student, like, 'Oh, my money got spent at a bar, I don't know if they're going to take me seriously' kind of thing.
Similarly, Phoebe, who was a university student when victimized, feared judgment when calling her credit card company to be reimbursed. Phoebe stated, 'They didn't like, judge me about it, like, "Oh my god, another young girl using her credit card wrongly, gets fraud on her account"'. Luckily, both Nolan and Phoebe eventually reported their incidents and recuperated their losses. Nonetheless, they both anticipated negative reactions, which demonstrates how these stereotypes of identity theft victims as naïve, along with self-blame, can function as barriers to help-seeking. Of course, had Nolan opted not to report, it is clear how embarrassment could also lead to an increased risk of paying for losses out-of-pocket.

Discussion
In summary, this study found that while identity theft is often discussed as inevitable, stereotypes nonetheless exist about who is expected to be a victim. Moreover, victims are found to express varying amounts of self-blame, which often ties to discourses of naïve victims or the individual responsibility for self-protection. Some of the difference in the framing of identity theft victimsas naïve or ubiquitous-results from the many ways that individuals can become victims. The stereotypical view of victims predominantly relates to those who fall victim to phishing scams, which is exemplified by the comparisons that participants made to common Canadian phishing scams. Nonetheless, the view of victims as naïve, old, or non-technologically savvy still manifests when discussing hacks and breaches. These incidents would seem to merit blame on institutions rather than individuals, yet those victimized through breaches may still feel that they could have done more to protect themselves. As such, the contradiction of victimization as inevitable and as only affecting particular groups appears across forms of identity theft.
This study builds on past research which has found victim-blaming discourses to be common among victims of phishing, advance-fee, and romance frauds (Cross, 2015). These forms of fraud involve victims responding to a perpetrator, and thus victims can be framed as having an active role in their victimization (Cross, 2015), despite the sophistication of perpetrators' tools and techniques (Drew and Cross, 2013). This study finds that this victim blaming extends to other forms of identity theft that do not require a response by the victim, including those resulting from company hacks and breaches.
This study is also significant in the context of past research on the responsibility for identity theft. There appear to be multiple overlapping yet conflicting discourses surrounding identity theft victimization in contemporary society. First, individuals understand identity theft to be everywhere, with everyone at risk. The perception of ubiquitous hacking and corporate breaches leads individuals to believe that identity theft is inevitable. Second, while these events are constructed as constant threats, past research indicates that discourses surrounding identity theft frame responsibility as falling on individual consumers rather than on corporations or law enforcement (Cole and Pontell, 2006;Monahan, 2009;Whitson and Haggerty, 2008). Consequently, the messaging that places responsibility on individuals to protect themselves could contribute to the stigmatized view of victims. Finally, the finding that once victimized, individuals may blame the self or anticipate blame from others is important in the context of these discourses.
Thus, this study's findings are also significant for victim reporting. Identity theft and fraud are notably underreported to law enforcement (Reyns and Randa, 2017;Schoepfer and Piquero, 2009), with the most recent estimates suggesting that only 7% of victims contact police (Harrell, 2021: 7). Although this underreporting is partly the result of the complex arrangement of institutional actors that can assist in fraud and identity theft's aftermath (see Button et al., 2012), this study posits that victims' self-blame or embarrassment may also impede help-seeking. In some cases, victims may feel embarrassment or shame that they are unable to adequately protect themselves from online risks, and with these emotions comes a tendency to be selective in disclosing incidents. Unfortunately, this can act as a barrier to receiving support from family and friends and may prevent reporting to institutions that can assist.
Victim blaming is not unique to identity theft and fraud, and victim-blaming discourses have been prominent in victimology's history beginning with victim typologies and theories of victim precipitation (Miers, 1989). In addition, victim blaming is pervasive toward survivors and victims of gender-based violence, including sexual assault (Grubb and Turner, 2012;Randall, 2011) and intimate partner violence (Meyer, 2016). Victims of these crimes may also have trouble receiving recognition as victims; for example, domestic violence survivors are often constructed as non-ideal victims based on their familiarity with the offender and thus what they could have done differently (see Duggan, 2018). In the case of identity theft, victims are similarly framed as non-ideal for engaging with a perpetrator through scams or for not better protecting themselves. In addition to describing specific characteristics of ideal victims, Christie (1986) emphasized that these attributes are culturally specific. In this sense, regardless of whether an identity theft victim's non-ideal status stems from them being tricked into responding to a scammer or from their perceived inadequate self-protection, this disconformity to the ideal victim appears to reflect broader social perceptions of identity theft and fraud (see Cross, 2018).
Interestingly, the messaging surrounding identity theft may more overtly discuss self-protection than messaging surrounding gender-based violence, including by providing lists of actions potential victims ought to take (Cole and Pontell, 2006). Nonetheless, the subtext of media framing of gender-based violence can still contribute to victim blaming by focusing on victims and survivors, while neglecting perpetrators and broader social conditions enabling gender-based violence (Berns, 2004). In both cases, the constant focus on victims obscures the roles of perpetrators and social issues that contribute to widespread victimization. In a similar sense, criminology and victimology's movement toward studying risk and their discussions of the inevitability of certain crimes can neglect the causes of crime and encourage victim blaming by shifting the focus to self-protection (Walklate, 1997).
Unfortunately, the focus on individual-level prevention in institutional messaging is a product of neoliberalism (Cole and Pontell, 2006;Monahan, 2009;Whitson and Haggerty, 2008), and thus has no simple solution. Moreover, many of the corporations that could implement stricter security measures to limit identity theft are motivated by profits over security (Cole and Pontell, 2006); for example, prioritizing quick access to credit over secure authentication measures (Whitson and Haggerty, 2008). Thus, financial institutions and other corporations are likely to continue producing messaging that normalizes the ubiquity of identity theft and shifts responsibility to consumers.
Within this context, several changes could occur to reduce victim blaming while increasing institutional accountability. Governments could pressure institutions that collect and hold personal information to implement stricter security measures to better protect citizens (Cole and Pontell, 2006). In addition, laws could be enacted to ensure identifying information and individuals' accounts are better secured, including implementing greater financial punishments for breaches, which could function to incentivize companies to fund security research. Governments and law enforcement could also ensure that their messaging surrounding identity theft, fraud, and misused accounts is aimed at reducing, rather than producing, stigma. While the private sector may not be motivated to re-frame identity theft as an institution-level issue, messaging that encourages helpseeking in the aftermath would be beneficial.
Finally, it is noteworthy that much of the institutional messaging that shifts responsibility to individuals also functions to mask institutions' own roles in identity theft (Monahan, 2009;Whitson and Haggerty, 2008). This is similar to the manner in which exclusively focusing on survivors and victims of intimate partner violence neglects the role of perpetrators and broader social inequalities (see Berns, 2004). As such, continuing to discuss and research institutions' roles in facilitating these conditions is one avenue for combatting victim-blaming discourses. Future research on identity theft and its victims should remain critical to the social and structural conditions which enable it.