Identity misuse incidents are won by sequence, stop active financial damage, block new openings, and document everything.
Fast, structured action improves recovery speed and reduces repeat fraud using the same stolen data package.
Identity-theft containment sequence
- Contain financial damage: contact impacted banks, card issuers, and payment apps, and freeze or lock accounts where possible.
- Freeze your credit (free) at the major bureaus, even if you are not sure what was opened yet.
- File an identity theft report at IdentityTheft.gov and follow the plan it generates.
- Pull your credit reports and look for new accounts, hard inquiries, and address changes.
- Document everything: dates, amounts, account numbers (last 4), screenshots, and names of people you spoke to.
- Watch for follow-on scams: identity theft victims are often targeted with "recovery" fraud and fake investigators.
Key idea: a credit freeze is one of the highest-impact steps because it blocks most new credit accounts from being opened in your name.
| If this is happening | Do this first | Why |
|---|---|---|
| Unauthorized bank transfers or card charges | Call the bank/card issuer, lock accounts, and dispute fraud using their process | Stops immediate loss and creates an official record |
| New accounts or loans you did not open | Freeze credit and file an FTC identity theft report | Prevents additional openings and supports removals |
| Tax return filed in your name | Start IRS identity theft steps and consider an IP PIN | Tax identity theft can cascade year to year if not fixed |
| Phone number hijacked (SIM swap) | Contact your carrier immediately and secure your accounts | Phone control can break MFA and enable more fraud |
| Someone impersonates you to friends/contacts | Warn contacts, secure email/social accounts, and document messages | Prevents secondary victims and reputation damage |
Step 1: Clarify what was stolen or misused
Before you run in five directions, take five minutes to classify the incident. You can do multiple categories at once, but naming the category keeps your response focused.
- Financial fraud: unauthorized card charges, bank transfers, new payees, or wallet activity.
- New accounts opened: credit cards, loans, buy-now-pay-later accounts, utilities, phone plans.
- Account takeover: your existing email/social/bank accounts were accessed and changed.
- Tax or government benefits misuse: a tax return filed, unemployment or benefits claims, or official mail anomalies.
- Phone number takeover: loss of service, SIM change alerts, or accounts suddenly failing MFA.
If you suspect this started from an account takeover (email, Apple ID, Google account), use how to check if you've been hacked to identify the entry point and stop further compromise.
Step 2: Contain the immediate damage
If money is actively moving, containment comes first. Do not wait for credit reports to update.
- Call the institution using a known-good number from your card, bank app, or official site. Avoid numbers from emails or texts.
- Ask about account locks, transaction disputes, and whether new payees or transfers were added.
- Change passwords and revoke unknown devices or sessions.
If a specific service is impacted, start with focused playbooks. For example:
Step 3: Freeze your credit and add alerts
A credit freeze blocks most lenders from pulling your credit file, which blocks most new credit accounts. Freezes are free by law. You typically need to place a freeze with each bureau.
The FTC explains the process and links to the bureaus here: credit freezes and fraud alerts.
Common mistake: buying credit monitoring and skipping the freeze. Monitoring tells you you were hit. A freeze blocks the hit.
Consider adding a fraud alert as well (it can add friction for new accounts). Keep your own notes with the date you placed each freeze and the confirmation details you receive.
Step 4: Get your credit reports and look for new activity
Your credit file is one of the fastest ways to see what was opened or attempted. In the U.S., you can request reports from AnnualCreditReport.com (the official centralized service).
Look for:
- New accounts you do not recognize
- Hard inquiries from lenders you did not contact
- Address, phone number, or employer changes you did not make
- Collection items that appear suddenly
Print or save copies for your records. If you need to dispute items later, having dated copies helps.
Step 5: File an FTC identity theft report
For most U.S. consumers, the highest-signal official report is the FTC report and recovery plan from IdentityTheft.gov. It helps you generate letters and documentation that many companies accept when removing fraudulent accounts.
If you are dealing with fraud across multiple institutions, consider making a simple incident file:
- Timeline: what happened, when you noticed, what changed
- Evidence: emails, screenshots, statements, chat logs
- Calls: who you spoke to and case numbers
Step 6: Tax identity theft (IRS) and other official misuse
If you receive IRS notices you did not expect, or you cannot file because a return already exists, treat it as tax identity theft. The IRS provides a centralized starting point here: IRS identity theft information.
One of the strongest preventative steps is applying for an Identity Protection PIN (IP PIN), which helps prevent someone else from filing a return using your SSN. The IRS explains it here: get an IP PIN.
If you think someone misused your identity for government benefits, use official state or federal reporting pages. Be skeptical of anyone who says they can "fix" benefits fraud for a fee.
Step 7: If your phone number was taken over
A SIM swap is identity theft plus a technical foothold. If your phone suddenly stops working, your carrier emails about a SIM change, or you lose access to MFA codes, treat it as urgent.
- Contact your carrier immediately and ask them to lock the account and reverse unauthorized changes.
- Reset passwords on email and financial accounts and move MFA away from SMS where possible.
- See SIM swapping for the deeper response steps.
Step 8: Watch for follow-on scams
Once you are dealing with identity theft, scammers may impersonate banks, "investigators", or credit bureaus. They often use the fact you are already stressed to push you into unsafe actions.
Safety note: do not pay for identity "recovery" services from random callers. Use official portals and call back using numbers you find yourself.
- Be suspicious of anyone asking for one-time codes, remote access, gift cards, crypto, or secrecy.
- Verify by calling back using official numbers from your institution.
- If you receive a scary email, use how to identify scam emails to evaluate it.
If this started with a hack
Sometimes identity theft starts with an account takeover: your email was compromised, then attackers used the inbox to reset other accounts and to harvest personal data. If you suspect that, start with containment and account recovery:
Most identity theft response plans assume a static leak. If a live attacker is still in your accounts, you need both tracks: identity recovery and account recovery.
Next 7 days: the follow-through that prevents repeat damage
The first-hour steps stop the bleeding. The next-week steps reduce the chance the same identity package gets reused again.
1) Dispute fraudulent accounts and inquiries
If your credit reports show accounts or inquiries you did not authorize, dispute them with the bureau and the lender. Use your FTC Identity Theft Report from IdentityTheft.gov as supporting documentation. Keep copies of everything you submit.
- Ask the lender for their fraud or identity theft department process.
- Request confirmation in writing when an account is closed or an inquiry is removed.
- If you receive mail about a new account you did not open, treat it as an urgent signal and follow the dispute process immediately.
2) Deal with debt collectors safely
Fraud sometimes shows up as collections. Do not ignore it. Respond in writing, keep records, and request validation of the debt. If the account is fraudulent, document that and dispute it using the FTC report and the credit bureau dispute process.
3) Lock down your online accounts
If an attacker can access your inbox, they can keep undoing your recovery by resetting passwords. Make sure the email account you use for financial and government services has:
- A unique password
- Strong MFA (prefer app or hardware key where available)
- Clean recovery methods (no old phone numbers)
- No unknown forwarding rules or connected apps
If you want a recovery-first approach for account security, start with Been hacked? Take these steps immediately and prioritize email and financial accounts.
4) Watch for address and mail abuse
Identity thieves sometimes change mailing addresses to intercept bank cards, loan mail, or tax documents. If you see address changes you did not make:
- Contact impacted institutions and correct the address.
- Consider using USPS tools like Informed Delivery if available in your area.
- Be cautious with change-of-address confirmations. Scammers sometimes send fake "address update" notices to harvest information.
5) Consider a police report when it is useful
A police report is not required for every case, and it does not guarantee faster resolution. It can help when:
- A lender, landlord, or utility requires it to remove a fraudulent account
- You are dealing with repeated fraud that escalates
- The theft involves stolen physical documents, mail theft, or clear criminal activity you can document
Bring your timeline, your FTC Identity Theft Report, and your evidence. Ask for a report number and keep it in your incident file.
Rule of thumb: do not send your full SSN, full card numbers, or full IDs over email. Use secure upload portals when available, and confirm you are talking to the real institution first.
Prevention after recovery
Once the immediate fire is out, keep a few long-term protections in place so the same identity package is harder to reuse.
- Keep credit freezes in place unless you are actively applying for new credit.
- Keep your IRS IP PIN if you were hit by tax identity theft.
- Use unique passwords and MFA, especially for email and financial accounts.
- Turn on alerts: bank transactions, credit monitoring alerts, and new sign-in alerts on critical accounts.
Common questions
How long does identity theft recovery take?
It depends on what was opened and how widely your information was reused. Some bank fraud disputes resolve in days. New-account and credit-file cleanup can take weeks or longer because it involves multiple institutions and documentation. Your best lever is good records and fast containment.
Should I keep my credit frozen forever?
If you are not actively applying for credit, keeping freezes in place is usually a net win. When you do need to apply for something, temporarily lift the freeze only for the bureau the lender uses, then re-freeze afterward.
What if the victim is a child or older family member?
Minors and older adults are common targets. The steps are similar (freeze where possible, official reports, documentation), but you may need extra proof of guardianship or authority. Use IdentityTheft.gov to generate the plan and follow any age-specific instructions your institutions require.
Identity theft recovery is rarely one action. It is a sequence: contain active loss, block new openings, produce an official report that institutions accept, and then methodically clean up what was created in your name.
Most people lose time by doing low-leverage work first. The high-leverage work is the work that changes outcomes: a credit freeze, an FTC Identity Theft Report and plan, and disciplined documentation that turns phone calls into case numbers and written confirmations.
After the first day, the strategic goal shifts from emergency response to preventing repeat damage. Keep freezes and alerts in place long enough to catch delayed attempts, and treat new alerts as connected until you can prove otherwise. Attackers often reuse the same identity package weeks later.
If the root cause was account takeover (especially email), your identity recovery will not "stick" until the account layer is secured. In that case, use Been hacked? Take these steps immediately and prioritize the accounts that control resets.
If you want one simple diagnostic to keep you honest: are you making it harder for new accounts to be opened in your name, or are you only reacting to the last account you discovered?