Last week, the Federal Trade Commission released the list of top complaints received by it’s Consumer Sentinal Data Network – which gathers complaints not only directly from consumers to the FTC but also from law enforcement agencies (state and federal), and national consumer protection agencies. Leading the pack for the 15th consecutive year: Identity theft.

In 2014, 12.7 million U.S. consumers were victimized to the tune of $16 billion, according to a report released this week by Javelin Strategy and Research (which is backed by LifeLock, which I work with to educate consumers on ID theft). The firm’s 2015 Identity Fraud Study notes that this represents a 3% drop in victims, from last year.

So here’s my question: Are we making progress in the fight against ID theft? Or not?

The answer is decidedly wishy-washy and somewhat disappointing: Sort-of. Yes, fewer people were taken advantage of, says Al Pascual, director of fraud and security for Javelin. But you have to consider everything that happened in 2014. “Last year wasn’t a record for breaches,” he says. “But it captured the public’s attention. In the Target TGT breach, 95% of [debit and credit] cards were replaced. You had state attorneys general coming out of the woodwork demanding credit monitoring and other protection for victims.” With all of that, he points out, the best we could manage was a 3% decline.

In the details of both of these batches of data, however, lie new ways consumers should be on their guard. (And note: If you’re tired of this, that’s just too bad. You’re tired of commuting to work and ordering salad when you really want a burger, too. Welcome to 2015.)

Credit monitoring isn’t a cure-all. ID theft crimes fall into two distinct buckets: Hassle and heinous. Card fraud, where someone steals your credit card or debit card number and uses it to make purchases, is the first. It’s a pain, but you can shut it down and even if money was pulled out of your checking account, you’ll get it back. New account fraud, where someone uses your identifying info to take out a loan, is the second. Unfortunately, the Javelin research found that victims are three times as likely to take a year or more to discover what’s going on. That opens the door for the fraudster to use the identity for other illicit purposes – like applying for a job (as you) or filing for your tax refund. Credit monitoring services can help you keep your eye on the ball, but it’s important to note that they don’t all work the same. You want to be notified if someone is applying for a loan in your name in minutes or hours, says Pascual, rather than weeks or months.

Impersonation theft is on the rise. According to the FTC, there has been a rise in so-called impersonation crimes. A close cousin of phishing, but with a governmental bent, you’ll typically receive a call from someone claiming to be from the IRS. This person may know all or part of your Social Security Number as well as other identifying details and the call may look like it originates from a Washington, DC area code. The upshot is always: You owe taxes or penalties. How would you like to pay? Hang up. The IRS will not reach out to you for payment over the phone. It’s old school and sends letters instead. (And keep in mind, phishing is still a problem, too. If you’re contacted by any institution that you do business with asking for a payment or identifying information, hang up. If you suspect that it may be legitimate, call the credit card company – or whomever – directly. You should always be the initiator, not the recipient, of these interactions.

Chip cards aren’t going to solve everything. Perhaps you’ve already been issued a credit card with a shiny metal chip. If not, it’s coming soon. “We’re expecting broad penetration [of this technology] by 2018,” Pascual says. That will decidedly reduce the Target-like breaches because thieves will no longer be able to steal your credit card data and print it on fake cards. As a result, he predicts, breaches like the recent Anthem Health WLP theft – where millions of Social Security Numbers were pilfered – “will explode.” That will likely lead to growth in new account fraud. Which brings us back to the number one piece of advice for consumers. Protect your credentials — the fewer people and institutions you can give your Social Security Number to, the better – and your mobile devices. Passwords, please.

Give the students in your life a heads up. We like to think of millennials as being more tech-savvy, says Stephen Coggeshall, Science officer at both ID Analytics and LifeLock. The darker side of that is that they’re more open with their personal information. Young people engage in what Coggeshall calls “bad social network behavior” like broadcasting their dates of birth on their Facebook accounts. Perhaps that’s one reason that despite being less concerned with protecting their identity, they’re more likely to be victimized. In particular, they’re five times more likely to be victims of “familiar fraud” or being taken advantage of by someone you know. “Students are not doing a good job of protecting their information from dorm mates or other fast friends,” he says.