Identity Theft: Lock it down & recover fast

If you just learned your identity was stolen, do these things in this order. Don't skip ahead.

1. Call the bank for any account that may be exposed. Use the number on the back of your card, not from any message. Ask them to freeze the card and open a fraud case. Write down the case number.
2. Change the password on your primary email. Email is the master key — most account recovery flows go through it. Use a new, unique password and enable two-factor authentication today. An authenticator app, not SMS.
3. Place a fraud alert at one of the three credit bureaus (Equifax, Experian, TransUnion). One bureau notifies the others. Free. Takes five minutes online.
4. Stop and breathe. You've contained the immediate damage. The rest is paperwork.

Why this order?

Banks first because money can move in minutes. Email second because email is the recovery channel for everything else — if the attacker controls your email, they can reset every other password. Credit bureau third because new credit accounts are slower to open than money is to move.

What NOT to do in the first hour

• Don't post about it on social media. Attackers monitor for victims complaining and use it to target follow-up scams.
• Don't pay anyone claiming to help "recover" your stolen identity. The free FTC tools below do it better.
• Don't try to contact the scammer to negotiate. Engagement signals a valuable target.

The FTC's IdentityTheft.gov is the one website that does this whole process for you, in order, with the right forms. Use it.

What it does

• Walks you through a step-by-step questionnaire about what happened.
• Generates a personalized recovery plan.
• Auto-fills letters to creditors, the credit bureaus, and the IRS if needed.
• Produces an official FTC Identity Theft Report — the document many institutions require to remove fraudulent items.

Also file

• A police report at your local precinct. Bring the FTC report. You may need both for some creditors.
• If a Social Security number is involved: ssa.gov/scam and call the SSA fraud hotline.
• If your tax return is affected: file IRS Form 14039.
• If a medical insurance card or claim is involved: contact your insurance company's fraud department and request a copy of the medical records used.

Save everything

Open a single folder — paper or digital — for this incident. Put in: every case number, every confirmation email, every letter sent and received. Six months from now when a creditor calls about an account you've never heard of, you will want every piece of paper at hand.

Why the FTC report matters

The Identity Theft Report is a legal document. It triggers specific rights under the Fair Credit Reporting Act and the Fair Credit Billing Act — including the right to have fraudulent items blocked from your credit report. Without it, you're negotiating. With it, you're invoking a federal statute.

A fraud alert (step 1) lasts a year. A credit freeze is permanent until you lift it, and it is the single most effective protection against new-account fraud.

What a freeze does

No one — not even you — can open new credit in your name without first lifting the freeze with a PIN you control. Existing accounts are unaffected. You can still use your credit cards. Your credit score is unaffected.

How to freeze, with each bureau

• Equifax: equifax.com/personal/credit-report-services/credit-freeze
• Experian: experian.com/freeze
• TransUnion: transunion.com/credit-freeze

Freeze all three. Free in every US state. Save the PINs in a password manager.

Don't forget the lesser-known bureaus

There are two more credit bureaus most people miss:

• Innovis — used by some smaller lenders and pre-screened offers. Free freeze online.
• ChexSystems — used by banks to evaluate new checking-account applications. Freeze prevents fraudulent bank accounts opened in your name.

When to thaw

Applying for a car loan, mortgage, or new credit card? Thaw temporarily — most bureaus allow a one-hour or one-day window. Re-freezes automatically.

Freeze your kids' credit too

Children's SSNs are uniquely valuable to fraudsters because they're rarely checked. Freezing your minor child's credit at all three bureaus takes 20 minutes and prevents the most damaging form of long-term identity theft.

The first week stops the bleeding. The next ninety days catch what you missed.

Week 1

• Review the last 90 days of statements for every account. Highlight anything unfamiliar.
• Change passwords on every account using your compromised email — bank, brokerage, retirement, healthcare portal, retailers that store cards.
• Move your primary email to a unique password and 2FA via an authenticator app (not SMS).
• Set up a free password manager (1Password, Bitwarden) if you don't have one. The single biggest predictor of repeat compromise is password reuse.

Weeks 2–4

• Pull free credit reports from all three bureaus at annualcreditreport.com. Look for accounts you didn't open.
• Dispute every fraudulent item in writing, attaching the FTC report.
• Request a copy of your "specialty consumer report" from LexisNexis — many lenders pull this in addition to credit. Looking for new addresses, phone numbers, or accounts you don't recognize.

Days 30–90

• Check accounts weekly. Re-pull credit reports at day 60 and 90.
• If you've been on the dark web (most of us have), assume your data will resurface — keep the freeze on indefinitely.
• Keep a single folder, paper or digital, with every report and case number. You will be glad you did.
• Sign up for a free dark-web monitoring service (Experian, Norton, and several others offer free tiers) so you're alerted next time your email shows up in a breach dump.

The lifestyle change

One identity-theft incident is most people's first encounter with how exposed their digital life actually is. Use the moment. Long-term: a password manager, 2FA everywhere via an authenticator app, credit frozen by default, and a habit of checking your statements weekly. That five-minute habit, repeated, is what prevents the second incident.