Identity Theft of the Decedent

Unfortunately, thieves also try to steal identities of recently deceased people. If family and friends are unaware, it is easy for this type of identity theft to go undetected for some time. For example, a report released by the United States Senate in July 2008 found that there were nearly 480,000 Medicare claims made using the identities of deceased doctors. Some identity theft methods include:

  • Scanning obituaries. Information often included in an obituary, e.g., address, date of birth, mother’s maiden name and phone number, can be used to steal an identity. This information, combined with a simple public records search, makes it easy for identity thieves to victimize the decedent. Survivors should consider this risk when writing an obituary for a loved one.

  • Burglary.  Another way thieves obtain the decedent’s identifying information is by burglarizing the decedent’s or loved one’s home during a funeral. To combat this activity, especially for those living in rural areas, the family may want to request that local law enforcement keep an eye on the house or simply ask a neighbor to monitor the property during this time.

Protecting the Decedent from Identity Theft

It is critical to take steps immediately after the death of a loved one to protect them from identity theft.  Here are a few things you can do:

  • Order several copies of the death certificate. You will need them in order to implement safeguards on the decedent’s accounts. (Please note: Photocopies do not suffice. Original copies are required.)

  • Destroy the decedent’s identification. Also destroy anything that can be used to fraudulently obtain accounts, obtain identification or to impersonate the decedent. Make sure to shred or destroy driver’s licenses, credit cards, passports and other identifying documents that you will not need in the future. (Please note: If you choose not to destroy the decedent’s identifying information, keep them in a very secure place. Also be sure to call the issuing agency of the identification so they know the record holder is deceased and to prevent anyone else from fraudulently using the decedent’s name and information.)

  • Contact the main credit reporting agencies (Experian, TransUnion and Equifax) and request that the accounts be specifically marked as deceased. While speaking with the credit reporting agencies, also request a copy of the decedent’s credit report. Meticulously check the report for any fraudulent activity. (Please note: The agencies will likely require a copy of the death certificate and a copy of the court papers naming the personal representative.)

  • Contact the Social Security Administration. (Please note: They will likely require copies of the death certificate.)

  • Do not forget routine accounts such as library or gym memberships and organizations where the decedent belonged.

  • When going through the decedent’s belongings, shred all documents with identifying information that you do not need. This will help prevent identity thieves from finding information in the trash or recycling at the decedent’s residence.

Properly dispose of the hard drive in the decedent’s computer. Hard drives can never be fully erased, despite your best efforts to delete all the sensitive files on them. The best route is to simply destroy the hard drive and replace it with a new one. (Please note: Some companies offer software that will scramble the data left on the drive, but it is still possible that someone could access it anyway.)

Additional Safeguards to Take to Protect the Decedent

The Mail

It is a federal crime to tamper with someone’s mail, but that does not deter potential thieves. It does not take much effort for someone to steal the mail from a mailbox and sift through it for identifying information that could be used to steal an identity. Someone wishing to steal an identity might steal both incoming and outgoing mail to gather personal information. Some safeguards include:

  • Protect the mail––use a secure mailbox or a post office (PO) box.

  • Have the post office hold the mail if no one is living at the residence.

  • Send sensitive documents directly from the post office.

  • Pay attention to the timeline within which you expect sensitive mail to arrive; do not leave it sitting in the mailbox.

  • Notify retailers and creditors of the death so they stop sending mail to the decedent.

  • Know when the mail is delivered and know the mail person.

  • Keep an eye out for regular mailings like bills and statements. Follow up with the company if you do not receive them. This may help you immediately identify that someone has stolen the mail.

  • Get rid of junk mail; there are many ways to opt out of junk mail, especially via the Internet. Opt out of as much as you can to reduce the potential for strangers to steal credit card offers, pre-approved loans and other unsolicited junk mail.

Personal Documents: At Home

Though it is unpleasant to think about it, we routinely let people into our homes such as contractors or acquaintances that can easily snoop through personal papers and find useful information to sell or use. After someone has passed away there is often an influx of people flooding the decedent’s and the family’s homes, from caterers to mourners. Keeping files locked in a file cabinet or in another secure location will prevent any mishaps. Similarly, personal documents at work including an agenda or other files can be taken or copied by anyone with access to the decedent’s desk.

Personal Documents: At Work or a Third-Party Business

Personnel files at work, medical files at clinics and hospitals and other businesses that have files with identifying information are places where identity thieves can get information to steal the decedent’s identity. These businesses usually have safeguards in place to prevent unauthorized access to files, but security breaches do happen and even those who are authorized could steal information. Ways to protect the decedent include:

  • Lock up all important documents

  • Shred documents with identifiable information

  • Keep track of statements and bills to watch for any unauthorized activity

  • Get a credit report at least once a year for several years following the death to ensure no one has fraudulently opened accounts in the decedent’s name

Waste bins

The waste bin or recycling bin at family homes or at the decedent’s workplace might contain documents with personally identifiable information such as bills, bank records and even junk mail such as pre-approved loan and credit applications. It is crucial to shred these documents to prevent someone from stealing the information contained in them. This is particularly the case when you clean out the decedent’s desk or office. Be careful when disposing of any documents and be sure to shred those with personally identifiable information.


Use a gel pen to write checks for the estate. The ink used in gel pens is not as easily check-washed as those in ballpoint pens.

Phone calls

Unfortunately, thieves may pose as employees of financial institutions or other companies with whom you or the decedent had a relationship; they may contact you to try to “verify” personally identifiable information. Most companies will not call you suddenly to confirm information, so check the legitimacy of the call first. This is especially prudent if someone calls to strictly confirm the death of the decedent. It is possible that would-be identity thieves could scan the obituaries and call the home posing as a creditor or other legitimate business. Make sure to ask who is speaking and whom they represent. Feel free to take their number and return the call at your convenience to ensure they are from a legitimate business. If you must give personally identifying information over the phone, be cautious. Do not give out personal information unless you initiated the call.

Malware / Spyware

Malware, or malicious software is usually installed on a user’s computer without their informed consent. It can be bundled with other software that the user is installing, such as a media player.  For example, when the user installs the media player (in this instance), they are unknowingly installing other software that can be used to steal their personal information.  Malware includes many types of malicious software such as viruses, worms and spyware.

Spyware is a type of malware that is used to gather personal information without the expressed permission of the user. Spyware can log a user’s keystrokes in order to collect passwords and other typed information and can also give others control over a user’s computer through a “backdoor” in the installed software. This backdoor gives the thief remote access to the user’s computer. 

As a safeguard, make sure to verify the authenticity of any software that will be installed on a computer, especially if it is free software downloaded from the Internet. The decedent’s computer could easily contain some of this software, so you may want to scan it before conducting any important business on the decedent’s computer (filling out court forms, writing letters, etc.).

Also, if the decedent’s computer will be donated or given away, make sure to remove all personally identifiable data from the hard drive before giving it to someone else. This does not simply mean deleting files; the hard drive should be completely reformatted to eliminate the opportunity for anyone to steal the information that was on it.


Phishing is the process of prompting a user to enter personally identifiable information into a web site that looks legitimate but is actually just a shell used to steal personal information. Thieves will set up a web page that looks exactly like the authentic page and record information that users are duped into providing. There are numerous ways for people to phish for your information. E-mail and fraudulent Internet sites are the two most common.


As e-mail continues to become an important fixture in our society, it is critical that the decedent’s e-mail accounts be closed. Here are some actions to take:

  • The first step is to search for a record of the decedent’s e-mail password(s) or ask if a family or friend is aware of it. If there is no record of the decedent’s password, contact the company who provides the e-mail account. In cases of employee e-mail access, the decedent’s employer can likely reset the password so the family has access. In terms of gaining access to online accounts such as Yahoo!, Google or Hotmail, the company in question will need to inform you about how they handle deceased accounts. (Please note: Some companies will be stricter than others. In the past, Google’s Gmail and Microsoft’s Hotmail have been compliant with requests for access by families as long as they have appropriate documentation. Yahoo!, however, has consistently rejected such requests. Contact the e-mail provider to learn their policy.)

    Once access has been gained, you will likely want to respond to any personal e-mails that were sent since the death to let people know that the decedent has passed away. In some cases, a group e-mail is a good option.

    Next, download any important information and, finally, contact the e-mail provider about closing the account. Simply leaving the account open could be risky. If for some reason the account cannot be closed, however, delete all sensitive information in case the account is accessed in the future.

    Finally, beware of e-mails sent after death requesting sensitive information.  The e-mail is likely fake and the perpetrator may simply be phishing for sensitive information that can be used to steal the decedent’s identity. If you feel the e-mail could be legitimate, call the company to confirm the legitimacy of the message. Do not, under any circumstances, send sensitive information about the decedent or yourself by e-mail before examining the source.