How to Prevent Identity Theft (and Recover If It Happens)

How to prevent identity theft with a credit freeze, unique passwords, and smart habits, plus the exact recovery steps to take if it happens to you.

How to Prevent Identity Theft (and Recover If It Happens)

The most effective way to prevent identity theft is to make your personal information both hard to steal and hard to use. In practice that comes down to a short list of habits: freeze your credit, use a unique password on every account, turn on two-factor authentication, guard your Social Security number, and check your statements often enough that fraud cannot hide for long.

None of that requires paid monitoring or special software. The strongest single protection, a credit freeze, is free at all three credit bureaus and takes a few minutes to set up. This guide walks through the preventive steps in order of impact, then covers exactly what to do if someone is already using your identity, because how you handle the first two days matters more than almost anything that comes after.

What identity theft actually is

Identity theft is someone using your personal information without permission: your name, Social Security number, date of birth, account numbers, or login credentials. With enough of those pieces, a stranger can open credit cards, take out loans, file a tax return to claim your refund, or receive medical care billed to your insurance.

It shows up in a few common forms:

  • Financial identity theft: new credit cards, loans, or bank accounts opened in your name, or charges pushed through accounts you already have.
  • Tax identity theft: a fraudulent return filed with your Social Security number, usually discovered when your real return gets rejected.
  • Medical identity theft: someone receives treatment or prescriptions under your insurance, which can also corrupt your medical records.
  • Child identity theft: a child's clean credit file gets used quietly for years, because nobody thinks to check a nine-year-old's credit report.
  • Synthetic identity theft: fragments of real information from several people are stitched together into a new, fake identity.

Warning signs people miss

Some signs are obvious: unfamiliar charges on a statement, collection calls about accounts you never opened, a credit denial that makes no sense. Others are quieter, and they are the ones that let theft run for months.

  • An unexpected drop in your credit score. If your score falls and nothing in your own behavior explains it, a new account or missed payment you never made may be the cause. Pull your reports before assuming it is a glitch.
  • Expected mail stops arriving. A thief who files a change of address in your name can redirect your bank statements and card offers to themselves. If bills you always receive suddenly go quiet, contact the sender and your post office.
  • Bills or statements for accounts you do not recognize, even small ones. Thieves often test with minor accounts first.
  • Login alerts from your email or social accounts for sessions you did not start.
  • A notice from the IRS that more than one tax return was filed in your name.

Any one of these is a reason to pull your credit reports the same day, not at the end of the month.

Freeze your credit: the strongest single step

A credit freeze blocks lenders from pulling your credit file, which means nobody can open a new account in your name while the freeze is in place. It is free, it does not affect your credit score, and you can lift it temporarily online whenever you legitimately apply for credit.

You do have to place the freeze separately with each of the three major bureaus: Equifax, Experian, and TransUnion. Create an account at each, and save those three logins in your password manager, because you will need them to thaw the freeze later.

A fraud alert is the lighter option. It tells lenders to verify your identity before opening new accounts, but it does not block them outright. It has one real convenience: you only need to place a fraud alert with one of the three bureaus, and that bureau is required to notify the other two. An alert makes sense as a quick response after a breach notification. A freeze is the better default for most people, most of the time.

Lock down the accounts thieves want first

Your email account is the master key. Anyone who controls it can reset the password on nearly everything else you own, so it deserves stronger protection than even your bank account.

  • Use a unique password everywhere. Reused passwords are how a breach at one obscure site becomes fraud at your bank. A password manager such as Bitwarden, 1Password, or KeePass remembers them all, and a password generator makes creating strong ones painless.
  • Turn on two-factor authentication for email, banking, and anything connected to money. An authenticator app is stronger than text message codes, but either is a major upgrade over a password alone.
  • Check whether your address has already leaked. Run it through our email breach checker or Have I Been Pwned, then change the password on every account tied to a breached address.
  • Add a PIN with your phone carrier. This blocks SIM swap attacks, where a thief moves your phone number to their own device to intercept your login codes.

Protect your information in daily life

Plenty of identity theft still starts offline, or with information you handed over without thinking twice.

  • Guard your Social Security number. When a form asks for it, ask why it is needed and what happens if you decline. Doctors' offices and schools often request it out of habit and will accept an alternative identifier.
  • Shred before you toss. Bank statements, pre-approved credit offers, insurance paperwork, and anything with an account number should go through a shredder, not straight into the recycling bin.
  • Watch your mailbox. Collect mail promptly, drop outgoing checks at the post office rather than leaving them out, and consider the postal service's free Informed Delivery service so you know what should be arriving.
  • Share less publicly. A full birthdate, hometown, and phone number on a public profile is exactly the data thieves use to answer security questions and impersonate you on the phone.
  • Keep your devices patched. On an iPhone, open Settings, then General, then Software Update, and turn on automatic updates. On Windows, open the Windows Security app and confirm real-time protection is on. A reputable antivirus and current updates close off most malware that steals credentials.
  • Be suspicious of urgency. A call or text claiming your account is locked and demanding immediate action is the classic setup. Hang up and call the number printed on the back of your card instead.

If it happens: the first two days

Move quickly, and move in this order. Each step protects the ones that follow.

  • Change your passwords, starting with email and banking. If a thief still controls your email, they can undo everything else you fix. Lock those two down first, then work outward to other accounts.
  • Call the companies where the fraud happened. Ask for the fraud department, close or freeze the affected accounts, and ask that they be marked as disputed.
  • Place a fraud alert with one credit bureau. One call covers you, since the bureau you contact must notify the other two.
  • Review your credit reports from all three bureaus. Get them free at AnnualCreditReport.com and read every line. A fraudulent account sometimes shows up at one bureau before the others, so checking a single report is not enough.
  • Report the theft at IdentityTheft.gov. This is the FTC's official reporting site. Answer its questions and it generates a personalized recovery plan, along with pre-filled letters and affidavits for disputing accounts. The FTC report also serves as your official proof of the theft.
  • File a police report. Your local department may not actively investigate, and that is normal. The point is having the report on file: creditors and bureaus take your disputes far more seriously when a police report backs them up.
  • Freeze your credit at all three bureaus if you had not already done it. This stops the thief from opening anything new while you clean up.

The long part: recovery and record keeping

Cleaning up identity theft is rarely a single afternoon of phone calls. Expect the process to take weeks, and for messier cases months, especially when accounts were opened with several different lenders.

Keep detailed records of every call, email, and letter: the date, the company, the name of the person you spoke with, and what they agreed to do. Send written disputes by certified mail and keep copies. Then follow up regularly, because promised fixes have a way of stalling when nobody is checking on them.

Keep watching your statements and credit reports even after everything looks resolved. Thieves who succeeded once often wait a few months and try the same information again.

Where to start tonight

You do not need to do all of this at once. These five steps fit into one evening and remove most of the risk:

  • Freeze your credit at Equifax, Experian, and TransUnion.
  • Change your email and banking passwords to long, unique ones, and turn on two-factor authentication for both.
  • Run your email address through a breach checker and fix any account it flags.
  • Call your phone carrier and add a PIN or port-out lock to your number.
  • Set a recurring calendar reminder to pull your free credit reports and skim your statements.

Prevention is mostly boring, and that is the point. A credit freeze, unique passwords, and a skeptical eye toward urgent messages turn identity theft from something that could quietly follow you for months into something that mostly bounces off.