Viewers settling into an episode of Animal Planet's "River Monsters" extreme fishing show the day after Christmas were introduced to monsters of another kind during a commercial break: hordes of cyber criminals trading stolen personal information on the dark corners of the internet. The ad, for Experian, began with an ominous scene of a man typing away in a dimly lit closet. It ended with a smiling family playing catch in the backyard. The pitch: Sign up for a one-time scan "to see if your information is on the dark web."

Scary ads like this one are popping up all over TV and online as data-security providers race to capture a piece of the growing identity theft protection market that has gained steam in the wake of several well-publicized security breaches. The result is a burgeoning ad war as brands such as LifeLock and Experian compete in an industry that shows no signs of slowing down. The most recent estimate by Javelin Strategy & Research, an advisory firm that has long studied identity theft, pegged the size of the identity protection services market at $3.8 billion in 2015 in the U.S., up 18 percent from the year prior.

Even while they benefit from media coverage of data breaches, protection providers must continually advertise as they seek to hold on to subscribers, who have shown a tendency to frequently drop coverage. Javelin points to churn as a "major challenge for the industry," stating that 48.5 percent of subscriptions held at some point during the year are discontinued.

"I have little doubt that marketing in this space will only grow—not only to prevent churn, but to capitalize on an environment that is becoming increasingly hostile to consumer identity and account data," Al Pascual, Javelin's senior VP for research, said in an email interview.

"New major breaches are announced with shocking frequency, which is putting consumers on edge and creating a rapt audience for the marketing messages of these companies," he says.

The gang's all here

The market includes direct-to-consumer providers like LifeLock. Its basic service costs $9.99 a month and promises to alert buyers to potential stolen-identity threats as well as resolve incidents of actual theft and reimburse stolen funds up to $25,000. LifeLock's measured media spending grew to $182.6 million in 2016 from $120.9 million in 2015, according to the most recent full-year data from Kantar Media.

Also in the game are b-to-b marketers such as EZShield, which run plans offered by partners. For instance, EZShield has a pact with Aflac, which offers identity-protection services as part of an employee benefits package sold to companies.

Banks and credit card companies are also getting involved, offering a rising array of identity-theft protection packages as free perks to build loyalty. Discover Card, for example, in July began offering a free service to cardholders that alerts them if their Social Security numbers appear on risky websites known to illegally sell or trade personal data.

Credit reporting agencies—whose core business is to track consumer credit histories used in loan approvals and other background checks—are also marketing identity-theft protection services directly to consumers. Experian, which is one of the three major credit agencies, in May launched a product called IdentityWorks that includes a suite of services similar to what LifeLock offers. Experian is poised to spend more behind its IdentityWorks product, with a new ad slated to hit the air this month. The spot will be handled by its in-house shop, The Cooler.

The most notable data breach of 2017 occurred last summer, when hackers accessed information from Equifax, one of the three credit reporting agencies. It exposed information on 143 million Americans, including credit card numbers for an estimated 209,000 people. More recent headlines came in the closing days of December, when restaurant chain Jason's Deli reported that information from cards processed at its locations was potentially part of a data breach.

In 2016, a record-high 6.15 percent of U.S. consumers, or 15.4 million people, were identity fraud victims, with fraudsters stealing $16 billion, according to Javelin. That's up from the 13.1 million victims and $15.3 billion in losses the year before. Factors driving the surge include risks posed by e-commerce shopping and the exposure of personal data on social networking platforms, according to Javelin. "Until something dramatic changes I see no reason why fraud would go down," says Pascual. Criminals are getting "smarter, faster, better, stronger, and the rest of us are kind of slow to respond."

Consumer confusion

Still, consumers remain confused about what they should do, exactly, and if it's necessary to pay for protection. Experts offer differing views. "Realistically you don't need LifeLock or any of these services," says Andras Cser, VP and principal analyst for security and risk management at the research company Forrester.

Cser recommends that people simply freeze their credit files at the three major credit reporting agencies. That prevents a fraudster from taking out a loan or getting credit with stolen information if the lender checks the credit files at the agencies. If you want to make a purchase, you can temporarily unfreeze your credit. This costs money, and fees vary by state, but the most expensive charge is $30 to freeze and $30.95 to temporarily unfreeze, according to ValuePenguin, a financial information provider. In New York, freezing is free and unfreezing costs $15, for example. (Equifax waived its fees in the wake of the breach but the waiver expires Jan. 31.)

But Peter Swire, a privacy and cyber security expert who teaches at Georgia Tech, says credit freezes won't stop crimes like medical identity theft, in which someone pretends to be you in order to steal your health insurance. Identity-theft protection services products are "a legitimate service that ordinary families should strongly consider. Because we can't stop all the breaches. And bad guys can impersonate you," he says.

Identity-theft protection providers appear to be stealing from the same ad playbook that auto and life insurance providers have used for years: Portray a calamity and then describe how to protect against it. But key differences persist. For one, people are not required by law to purchase ID theft protection, as they are with auto insurance. Also, describing shady online threats from unknown places is a lot harder than reminding people that their next car accident could be around the corner. So ID theft marketers are trying to break through with ads that try to describe the threats in everyday terms.

For instance, Discover Card's new protection service, which is backed by Experian, was plugged with an ad by The Martin Agency portraying a man calling to ask Discover about the Social Security alerts. As he does, he pulls sushi from the refrigerator. Then an electronic alert pops onscreen showing the sushi as four days old. "Being in the know is a good thing," he decides.

LifeLock has another challenge: convincing consumers to pay for services they can get elsewhere for free. In a recent note to investors, Evercore ISI, a global independent investment banking advisory firm that covers Symantec, pointed to competition from banks and credit card companies as a factor that could limit LifeLock's growth. LifeLock responded to Ad Age that "free products provide a much more limited set of services and protection, and don't have the extensive product offering LifeLock provides, nor the hands-on, dedicated specialists."

LifeLock tried to make that point in a recent TV spot showing a dentist telling a patient that he "has the worst cavities I have ever seen," before leaving the man stranded in the dental chair and telling him that he is just a "dental monitor" so he can't fix it. The message: Credit monitoring isn't good enough.

LifeLock, which says it has more than 5 million U.S. members, is also trying to boost its business via a new marketing collaboration with Norton, which is known for anti-virus software that protects personal computers and mobile devices. The two brands came under the same ownership when Norton parent Symantec acquired LifeLock in February for $2.3 billion. The deal came a little more than a year after LifeLock paid $100 million to consumers in a settlement with the Federal Trade Commission, which charged the company with violating the terms of a 2010 federal order. The order included charges that LifeLock "falsely advertised that it protected consumers' sensitive data with the same high-level safeguards used by financial institutions," according to an FTC statement.

In a statement to Ad Age, Symantec said LifeLock has "invested in new processes, systems, and personnel to improve its security, strengthen its operations, and bolster compliance across its network."

Late last year Symantec consolidated its consumer advertising under DDB, which had previously been LifeLock's agency. Now the agency is working on a campaign to tout new packages in which consumers can buy LifeLock and Norton services in one bundle. Together, the two brands are trying to carve out a space in a category that Symantec refers to as "digital safety."

"Most people would say that they should have some kind of anti-virus or some kind of identity protection. It's on their list, but they just don't act," says Ty Shay, who oversees LifeLock marketing as chief marketing officer for the consumer business at Symantec. "Our challenge is: Can we bring these together in a convenient price point so we can get more people protected?"

The two brands separately spent a lot of money creating awareness. "Can we spend that combined money, which is in the hundreds of millions, to bring a more comprehensive convenient value solution to consumers?" Shay asks, rhetorically. "And there is a lot of education that needs to happen."

Translation: more scary ads to come.

~ ~ ~
CORRECTION: An earlier version of this article said Discover Card promoted its new protection service with an ad by its in-house agency. The ad was created by The Martin Agency.