Identity theft isn’t a problem for you, right? You’re tech savvy and you’d never fall for a phishing attack or let a password fall into the wrong hands. You’re confident that your online identity is safe, but that confidence could be your digital undoing.

It might seem counterintuitive, but according to a study from CBT Nuggets self-identified “tech-savvy” people are actually 18% more likely to fall prey to identity theft. Not only that, but it seems more highly educated people are just as likely as those without an advanced degree to be hacked, so formal education does little to impress the importance of cybersecurity.

The study reveals a number of surprising statistics about identity theft and hacking victims, but one number is disappointingly unsurprising: A lot of people just don’t care, admit they’re too lazy, or don’t want to be inconvenienced by online security requirements.

The average victim of an online hack

If the numbers are to be believed it’s not the tech-averse Baby Boomer victimized by identity theft. The most commonly hit are people who consider themselves tech-savvy, those who prefer macOS to Windows, Android users, and women.

As mentioned above, education level seems to have little to do with the likelihood of getting hacked–nearly one quarter of those with an associate’s degree, master’s degree, or PhD have been the victim of identity theft.

SEE: Security awareness and training policy (Tech Pro Research)

Not all the numbers are surprising, though: Millennials are the least likely to have had their personal data stolen, but here’s a twist: The biggest group of victims is Generation X. Boomers sit between the two.

So, who is the most likely to have their identity stolen? According to those numbers it’s a Gen-X woman with a PhD who considers herself tech-savvy, owns a MacBook, and uses an Android phone.

Attitudes matter

The figures seem counterintuitive at first glance, but digging further into the report yields a few more seeming contradictions that start making sense when considered together.

CBT Nuggets breaks password habits down by the same demographics it did with likelihood to get hacked, and it starts by asking an important question for anyone concerned about password security: How many unique passwords do you use?

Surprisingly, users with more unique passwords are more likely to be hacked, the report found. “Tech-savvy” users use more unique passwords, as do Android users and women. The only most-hacked group that doesn’t practice good password habits are Mac users–Windows users are 12.6% more likely to make an extra security effort.

The big reveal comes from the next set of numbers: less than 4% of people follow “all the basic security recommendations,” and 40% admit they’re simply too lazy, don’t care, or don’t want to be bothered with what it takes to be safe online.

What does it all mean?

There are a lot of takeaways to be found in this report despite the fact that the data seems contradictory. So, why do groups with better security habits still face more hacks?

“When it comes to security, many people (millennials included) feel that in this day and age, someone’ has taken the appropriate steps to secure the system,” says CBT Nuggets security consultant Keith Barker. “[But] the users themselves and the ‘human factor’ are some of the most significant weakness in those systems.”

SEE: Here are the top 6 ways websites get hacked, according to Google (TechRepublic)

In that sense, it isn’t really that surprising that a self-declared tech-savvy user would be more likely to fall prey to a hack: They have confidence in excess of their actual tech knowledge, which can lead to some pretty poor decisions.

The same goes for Mac users: It’s a long-held belief that Apple’s machines are less susceptible to viruses and malware. While that may have been true in the past, the greater popularity of Apple products has led to more and more malware targeting macOS and iOS.

Barker also said malware isn’t the only problem: Social engineering attacks are increasingly common, and they affect everyone regardless of OS or device type because they target flaws in humans, not systems.

Turning this data into a set of actionable items is easy and echoes the findings of other security reports: Users need training on not only how to protect their personal info, but also the importance of adhering to seemingly unnecessary or overly complicated security systems.

Keeping personal–and company–information safe is a constant battle, and one weak link in the cybersecurity chain can cause the entire system to break down. If this study is any indication, it’s probably an overly confident or uninformed user who’s going to be at ground zero and not a piece of malicious code.

The three big takeaways for TechRepublic readers:

  1. The types of users most likely to suffer from identity theft are the well educated, those who consider themselves tech-savvy, Apple users, Android users, and women.
  2. Those same groups are also generally more likely to practice good habits, but only 4% of users consider security to be important or necessary.
  3. User education is key to preventing data theft. Attitudes toward security are largely apathetic at best, and frustratingly hostile at worst, and that has to change if individuals and businesses want to prevent a serious breach.

Also see: