Identity Theft & Fraud Recovery

If you've just discovered that someone has used your identity — an unfamiliar credit card account on your credit report, charges you didn't make, an account opened in your name — the first 48 hours are when you can stop the most damage. The actions below should happen in this order and as fast as possible.

Hour 0-1: Stop the bleeding.

1. Place a fraud alert on your credit reports. Free. Call any one of the three bureaus (Equifax 800-525-6285, Experian 888-397-3742, TransUnion 800-680-7289); placing it with one bureau requires the other two to also place it. Lasts 1 year, renewable.
2. Freeze your credit at all three bureaus. More protective than fraud alert. Online or by phone with each bureau separately. Free since 2018.
3. Contact each bank where fraud occurred. Report the unauthorized activity. They'll close affected accounts and issue new cards/account numbers.
4. Change passwords on bank, credit card, and other financial accounts. Use unique passwords per account.
5. Enable 2-factor authentication on all financial accounts.

Hour 1-24: Document and report.

1. File at IdentityTheft.gov. The FTC's official identity theft reporting portal. Generates an Identity Theft Report and Recovery Plan based on your specific situation. The Identity Theft Report is the federal document you'll use to dispute fraudulent debts.
2. File a police report if you have evidence of who did it (a recognized signature, video footage, etc.). Many states require police reports for certain types of identity theft prosecution.
3. Pull all three credit reports at annualcreditreport.com. Document every account — verify which are yours and which are fraudulent.
4. Document everything. Save screenshots of fraudulent charges, copies of the FTC report, all correspondence with banks. Keep everything.

Hour 24-48: Begin disputes.

1. Send disputes to all three credit bureaus for fraudulent accounts and charges. Reference the FTC Identity Theft Report. The bureaus must investigate within 30 days.
2. Send written disputes to creditors with copies of the FTC Identity Theft Report. Under FCRA section 605B, creditors must block fraudulent debts from your credit report when they receive an Identity Theft Report.
3. Set up bank account alerts for any transaction over $1.
4. Notify other potential victims — your spouse, employer, anyone who might be targeted next via your information.

The credit-protection landscape has three main tools that get conflated in marketing: credit freezes, credit locks, and credit monitoring. They do different things and cost differently.

Credit Freeze (security freeze). The strongest protection. When frozen, no new credit can be opened in your name — potential lenders cannot pull your credit report at all without you first temporarily lifting the freeze. Required by federal law (since 2018) to be FREE at all three bureaus. Stays in place until you lift it.

• Cost: Free at Equifax, Experian, TransUnion
• Setup: Online or phone with each bureau separately (about 15 minutes total)
• Effect: Locks down your credit profile completely
• To use credit: Temporarily lift (thaw) the freeze before applying for new credit; refreeze after
• Best for: Anyone not actively shopping for new credit

Credit Lock. Marketed by bureaus as a "consumer-friendly" version of a freeze. Functionally similar but legally different — locks are contractual, not statutory. Many bureaus charge for lock services as part of subscription products.

• Cost: Often $10-$30/month as part of a "credit protection" subscription
• Setup: Through the bureau's app or website
• Effect: Similar to freeze but slightly faster to lift/replace
• Legal protection: Less than freeze (contract-based vs federally mandated)
• Best for: Almost no one — freeze is free and equivalent or better

Credit locks are largely a marketing product. The free freeze is functionally equivalent or better. Most consumer advocates recommend the free freeze and skipping paid lock services entirely.

Credit Monitoring. Alerts you when changes occur on your credit report — new accounts, hard inquiries, address changes, etc. Doesn't prevent fraud but tells you faster when it happens.

• Cost: Free options exist (Credit Karma, Experian's free tier, etc.); paid options $10-$30/month
• Setup: Sign up with a service
• Effect: Notifications of changes, but does not prevent activity
• Best for: Everyone, especially after data breaches

The optimal protection stack:

1. Credit freeze at all three bureaus (free, the strongest protection)
2. Free credit monitoring (Credit Karma is sufficient for most people)
3. Bank account alerts on every transaction
4. Two-factor authentication on all financial accounts
5. Annual review of credit reports at annualcreditreport.com

This stack costs $0 and provides better protection than most paid services.

When you actually need to lift the freeze:

• Applying for new credit (mortgage, auto loan, credit card)
• Renting an apartment (some landlords pull credit)
• Setting up new utilities (sometimes pull credit)
• Some employment background checks (rare but happens)

Each lift can be temporary (specific timeframe) or specific-creditor (only allow one specific lender to pull). Plan in advance — processing a lift takes minutes to a few hours, not days.

The Federal Trade Commission's IdentityTheft.gov is the official federal portal for identity theft recovery. Filing there generates an FTC Identity Theft Report — the legally recognized document that triggers protections under federal law. This is the most important single step in the recovery process.

What the FTC Identity Theft Report does:

• Triggers the right to dispute fraudulent accounts under FCRA section 605B
• Forces creditors to "block" fraudulent debts from your credit report (different from "dispute" — block is faster and stronger)
• Provides legal cover to refuse to pay fraudulent debts
• Establishes a paper trail with the federal government
• Can be referenced in lawsuits if creditors continue collection on fraudulent debts
• Serves as the basis for any criminal investigation (along with police report)

The IdentityTheft.gov process:

1. Visit IdentityTheft.gov and click "Get Started"
2. Describe what happened. What you've discovered, when, what accounts are affected
3. Provide personal information. Name, address, contact info, identifying details
4. The system generates a personalized recovery plan with checklist of steps and pre-filled letters for each creditor and bureau
5. Print the FTC Identity Theft Report — the formal document with confirmation number
6. Use the recovery plan to send disputes to creditors and bureaus
7. Update IdentityTheft.gov as you complete each step or discover additional fraud

The portal is genuinely useful, not bureaucratic theater. The pre-filled letters specifically reference your FTC report number and cite the relevant federal protections, making them more effective than generic dispute letters.

The FCRA section 605B "block" right. When you submit an FTC Identity Theft Report to a credit bureau, the bureau is required to block the fraudulent information within 4 business days. Block means it doesn't appear on your credit report at all. This is different from "dispute" (which the bureau investigates) — block is automatic upon receipt of the FTC report and identification information.

For block to apply, the report must:

• Be a copy of the FTC Identity Theft Report
• Identify the specific fraudulent information being blocked
• Include identification of the consumer (you)
• Include a statement that the information is not yours

Police reports vs FTC reports. The FTC Identity Theft Report is sufficient for most purposes. A police report adds value when:

• You have evidence of who committed the theft
• You want to pursue criminal charges
• A bank or creditor specifically requires it (some still do, despite the FTC report being the federal standard)
• The case involves substantial financial loss that may warrant investigation

For most identity theft cases, the FTC report is sufficient. Don't let the lack of a police report stop you from filing at IdentityTheft.gov first.

Once you've filed the FTC report, the work shifts to actually clearing the fraudulent items off your credit report. This is a multi-channel process: bureaus AND creditors AND collectors.

Channel 1: The credit bureaus. Submit disputes to all three bureaus (Equifax, Experian, TransUnion) for each fraudulent item. Include:

• Copy of the FTC Identity Theft Report
• Specific identification of the fraudulent items
• Your identifying information
• Clear statement that the information is not yours
• Request to "block" under FCRA section 605B (not just "dispute")

The bureau must respond within 30 days (some states require 15). They will investigate — contact the furnisher (the original creditor or collector), verify whether the account is yours, and either remove or retain the item.

For block requests with proper FTC documentation, the bureau must remove the item within 4 business days — faster than the dispute process.

Channel 2: The original creditors. Send written notification to each creditor whose name appears on a fraudulent account:

• Statement that the account is fraudulent (not opened by you)
• Copy of the FTC Identity Theft Report
• Request that the account be closed and removed from your credit reports
• Request for an FCRA section 623(a)(6) "block" of fraudulent information
• Send via Certified Mail with Return Receipt

Under federal law, the creditor must investigate and block fraudulent information from being reported. Once they confirm the fraud, they typically:

• Close the fraudulent account immediately
• Reverse all charges
• Send a notification to credit bureaus to remove the account
• Refrain from further collection
• Provide you with copies of all records related to the account (your right under FCRA section 609(e))

Channel 3: Debt collectors. If a fraudulent debt has been sold to or assigned to a debt collector, separate disputes are needed. Collectors are subject to FDCPA in addition to FCRA. Send a written dispute and request validation.

• State that you dispute the debt as fraudulent
• Demand validation of the debt under FDCPA section 809
• Include copy of the FTC Identity Theft Report
• Demand they cease further collection until validation is complete
• Request they notify the original creditor and credit bureaus of the fraud claim

If a collector continues to collect on a debt you've identified as fraudulent (especially after they receive the FTC report), they're potentially violating both FDCPA and FCRA. Document everything and consider an attorney.

If items don't get removed. If after 30-60 days the items are still on your credit report:

• File a complaint with the CFPB at consumerfinance.gov/complaint
• File a state-level complaint with your state attorney general
• Consider hiring an FCRA attorney — FCRA violations carry statutory damages and attorney's fees
• Persist with re-disputing — sometimes the bureaus' first response is inadequate, and a re-dispute with additional documentation gets the item removed

Beyond direct fraud, two related problems affect millions of consumers: mistaken identity (information from someone else with a similar name appearing on your credit report) and mixed files (the bureaus combining your information with someone else's). Both are addressable through the same dispute process but require some specific framing.

Mistaken identity scenarios:

• You share a name with another consumer (especially common with John/Jane Smith, Maria Garcia, etc.)
• You share a name with a parent or child (Sr./Jr.) and information mixed
• You share a Social Security number prefix or near-match
• An ex-spouse's accounts are still appearing on your report
• A landlord, employer, or other party reported information about another person under your name

Mixed file scenarios:

• Two different consumers' information fully blended into one credit report
• Most common with junior/senior pairs, identical twins, or names with similar variations
• Bureau's algorithm incorrectly merged data from multiple sources
• Often discovered when the consumer applies for credit and is denied for accounts they don't recognize

How to address mistaken identity / mixed files:

1. Pull all three reports and compare carefully. Note every account that isn't yours.
2. Document your identity clearly: driver's license, Social Security card, utility bills showing your address. The dispute will require demonstrating that you're a different person from whoever the information belongs to.
3. Send disputes to bureaus with: "These accounts do not belong to me. They belong to a different consumer. The bureau has incorrectly merged my file with another consumer's. I am [your full name, your SSN, your DOB]; the accounts in question belong to [identifying details if known]."
4. Provide documentation establishing your identity and address history
5. If the bureau won't separate the files, escalate to CFPB complaint and consider FCRA attorney

Mixed files have been the subject of significant FCRA litigation, and the bureaus have been forced to pay damages in many cases. If you have a clearly mixed file that isn't getting separated through normal dispute, an attorney is often the right path.

Family-based identity confusion. Particularly common with:

• Father/son pairs (Sr./Jr.)
• Mother/daughter with similar first names
• Same first name within extended family
• Twins or close-aged siblings

The most effective fix: each family member should establish a clear "credit identity" with consistent name format (always use middle initial or full middle name, always use the same address format, always include suffix like Jr./Sr. when applicable). The bureaus' merging algorithms get confused when information comes in with inconsistent formatting.

Once the immediate fraud is resolved, identity theft has a long tail. Stolen information often gets reused months or years later. The recovery process isn't over when the original accounts are cleared — it continues for as long as your information is in criminal hands.

The "dark web" reality. Most stolen identity information eventually ends up on dark web markets where it's bought, sold, and reused multiple times over years. Once your data is exposed, expect periodic reuse:

• New fraudulent account openings every 6-24 months on average
• Targeted scam attempts (phishing emails, fake calls) using your real information
• Tax fraud attempts during tax season
• Account takeover attempts on existing accounts
• Possible reuse for years after the original breach

Long-term protection practices:

1. Keep credit frozen permanently. The freeze is free; no reason to lift it except specifically when applying for new credit.
2. Monitor credit reports quarterly. Pull free reports rotationally (one bureau every 4 months) at annualcreditreport.com.
3. Use unique passwords with a password manager. Each account has a unique strong password. The password manager remembers them.
4. Enable 2FA everywhere possible, especially financial accounts and email.
5. Use authenticator apps over SMS for 2FA. SIM-swap attacks can intercept SMS codes; authenticator apps (Google Authenticator, Authy) are more secure.
6. Set up bank account alerts for any transaction over $1.
7. Monitor your address history. If a new address appears on your credit report that isn't yours, that's a sign of fraud in progress.
8. Watch for unexpected mail. A new credit card or bill from a creditor you don't recognize is often the first sign of new fraud.
9. File taxes early to prevent tax-fraud filers from beating you to it.
10. Be skeptical of unsolicited contact. Calls, emails, and texts purporting to be from your bank, the IRS, etc. are often scams. Always verify through known channels.

What to do if you discover new fraud later. If years after the initial incident you discover new fraudulent activity:

1. File a new FTC report at IdentityTheft.gov (it can supplement an existing case)
2. Repeat the dispute process with bureaus, creditors, and collectors as needed
3. Consider whether the new fraud is from the original incident's stolen data or a separate event
4. Document the relationship to prior incidents

The ScoreGuardians connection. Identity theft and credit damage often go hand in hand — the fraudulent accounts damage credit while you're trying to clean up. ScoreGuardians and similar credit-rebuild services help by managing the dispute process, monitoring for new activity, and providing resources during the multi-year recovery. For severe identity theft cases, a dedicated service can be worth the cost; for simpler cases, the free tools described above are usually sufficient.

1. Hour 0: Place fraud alert + freeze credit at all three bureaus.
2. Hour 1: File at IdentityTheft.gov to generate FTC Identity Theft Report.
3. Hour 24: Pull all three credit reports. Document fraud.
4. Hour 48: Dispute fraudulent items with bureaus AND creditors AND collectors. Certified Mail with FTC report.
5. Day 7: Confirm bureaus are processing disputes. Set up credit monitoring.
6. Day 30: Verify items are blocked or removed. Re-dispute if necessary.
7. Long-term: Keep freeze permanent. Use password manager + 2FA. Monitor quarterly. File taxes early.
8. If new fraud appears later: New FTC report, fresh disputes, document relationship to prior incidents.