How to Protect Yourself from Identity Theft (and What to Do If It Happens)

1.4 million identity theft reports were filed with the FTC in 2023. A credit freeze, strong passwords, and knowing what to do if your info is stolen are your best defenses. Here is the complete guide.

In 2023, Americans reported 1.4 million identity theft cases to the Federal Trade Commission, with total losses exceeding $10 billion. The most common types: credit card fraud, government benefits theft, tax refund fraud, and new account fraud (someone opening accounts in your name).

If you have a Social Security number, a credit card, or an email address, you are a potential target. Your personal data has almost certainly been exposed in at least one data breach — check at haveibeenpwned.com. The question is not whether your data is out there. It is whether you have the defenses in place to prevent someone from using it.

The single most important thing you can do: freeze your credit

A credit freeze (also called a security freeze) prevents anyone from opening new credit accounts in your name. When a lender runs a credit check to approve a new credit card or loan application, the freeze blocks access to your credit report. No access means no approval. The fraudulent application gets denied.

You must freeze your credit at all three bureaus separately:

1. Equifax: equifax.com/personal/credit-report-services/credit-freeze/
2. Experian: experian.com/freeze/center.html
3. TransUnion: transunion.com/credit-freeze

Each freeze takes about 5 minutes online. You will create an account and request the freeze. You receive a PIN or password needed to temporarily lift the freeze later.

Cost: $0. Credit freezes have been free nationwide since 2018. Your score is completely unaffected. Existing accounts (current credit cards, loans) continue to work normally — the freeze only prevents new accounts from being opened.

When you need to lift the freeze: If you apply for a new card, mortgage, or auto loan, the lender needs to check your credit. You temporarily lift (“thaw”) the freeze at the specific bureau the lender uses. You can lift it for a specific time period (1 day, 1 week) and it refreezes automatically.

This is the #1 recommendation from every financial expert, from the CFPB to Clark Howard. If you do nothing else in this guide, do this.

How exposed are you right now?

Beyond the credit freeze: layered protection

Monitor your credit reports

Pull your free credit reports from AnnualCreditReport.com (the only federally authorized source) at least once per year. You can now pull free reports weekly from all three bureaus.

Review every account listed. If you see an account you do not recognize, that is a sign of identity theft — dispute it immediately with the bureau. Free monitoring services like Credit Karma alert you when new accounts appear or when your credit score changes significantly.

Protect your Social Security number

• Never carry your Social Security card in your wallet. Keep it in a safe or locked drawer at home.
• Only share your SSN when legally required: tax filings, employment (W-4), opening bank/brokerage accounts, applying for credit.
• Do not share your SSN over the phone unless you initiated the call and verified the recipient.
• File your tax return early (January or February). Tax refund fraud happens when someone files a fraudulent return using your SSN before you file yours. Filing early beats them to it.
• Create an account at ssa.gov. This prevents someone else from creating an account with your SSN and redirecting your benefits.

Use strong, unique passwords

Compromised passwords are involved in 80%+ of data breaches, per Verizon’s Data Breach Investigations Report. Use a password manager (Bitwarden is free; 1Password and Dashlane are paid). Generate unique 16+ character passwords for every account. Enable two-factor authentication (2FA) on every account that offers it, especially email, banking, brokerage, and social media.

Use an authenticator app rather than SMS codes. SMS text codes can be intercepted via SIM-swapping attacks (see FAQ below). Google Authenticator and Authy are free and far more secure than text-message 2FA.

Secure your email

Your email is the gateway to every other account — password resets go there. If someone gains access to your email, they can reset passwords on your bank, brokerage, and credit card accounts. Use a strong unique password, enable 2FA, and consider using a separate email address for financial accounts than the one you use for shopping and social media.

Watch for phishing

Phishing emails and texts impersonate banks, the IRS, Amazon, or other trusted entities to steal your login credentials. Red flags: urgent language, links that do not match the official website (hover before clicking), requests for your SSN or verification code, emails from addresses that look almost right (support@arnaz0n.com instead of amazon.com).

Rule: Never click links in unexpected emails or texts. Go directly to the company’s website by typing the URL in your browser. The IRS never initiates contact by email or text.

Your identity theft protection checklist

Click each item to mark it complete as you work through the list:

What to do if your identity is stolen

Step 1: Place a fraud alert (immediate)

Contact any one of the three credit bureaus and request a fraud alert. That bureau is legally required to notify the other two. A fraud alert lasts one year (extendable to seven with an identity theft report). It requires creditors to verify your identity before opening new accounts.

• Equifax: 1-800-525-6285
• Experian: 1-888-397-3742
• TransUnion: 1-800-680-7289

If you have not already frozen your credit, do both: fraud alert AND credit freeze.

Step 2: Report to the FTC (same day)

File a report at IdentityTheft.gov. This generates a personalized recovery plan and an Identity Theft Report that you use to dispute fraudulent accounts and file a police report.

Step 3: File a police report (within 24 hours)

File a report with your local police department. You may need the report number to dispute fraudulent accounts with banks and creditors. Many departments allow online filing.

Step 4: Contact affected companies (within 24 hours)

Call the fraud department of any company where a fraudulent account was opened. Under federal law (Fair Credit Billing Act), your liability for unauthorized credit card charges is limited to $50 — and most issuers have zero-liability policies. For debit cards, liability depends on how quickly you report: $0 if reported before charges occur, $50 within 2 business days, up to $500 within 60 days, and unlimited after 60 days.

This is one reason we recommend using credit cards over debit cards for everyday spending — significantly stronger fraud protection.

Step 5: Dispute fraudulent accounts on your credit reports

File disputes with each bureau for any accounts or inquiries you do not recognize. Include your Identity Theft Report from the FTC. The bureau has 30 days to investigate and remove fraudulent information.

• Equifax dispute portal
• Experian dispute portal
• TransUnion dispute portal

Step 6: Monitor for ongoing fraud (next 12 months)

Identity theft can recur. Monitor credit reports monthly for the next year. Keep the credit freeze active. Watch all statements for unauthorized charges. Consider an IRS IP PIN — a unique 6-digit PIN that must be included on your tax return, preventing fraudulent returns using your SSN. Get it at irs.gov/ippin.

Common types of identity theft and prevention

Type	How it works	Best prevention
Credit card fraud	Someone uses your existing card number for unauthorized purchases	Transaction alerts on all cards; virtual card numbers for online shopping
New account fraud	Someone opens a credit card, loan, or bank account in your name	Credit freeze — blocks this almost entirely
Tax refund fraud	Someone files a return using your SSN and claims your refund	File early (January/February); get IRS IP PIN
Medical identity theft	Someone uses your insurance information for medical services	Review Explanation of Benefits statements; report unknown charges
Child identity theft	Children’s SSNs have no credit history, so fraud goes undetected for years	Freeze your children’s credit at all three bureaus
Synthetic identity theft	Criminals combine your SSN with fake name/address to create a new identity	Credit freeze and regular monitoring

Should you pay for identity theft protection?

Services like LifeLock, Aura, and Identity Guard charge $10 to $30/month for credit monitoring, dark web scanning, identity theft insurance, and recovery assistance.

What they provide that is genuinely useful: identity theft insurance (typically $1 million, covering recovery costs) and a recovery specialist who helps dispute fraudulent accounts. What they provide that you can get free: credit monitoring (Credit Karma), dark web alerts (haveibeenpwned.com), and credit report access (AnnualCreditReport.com).

Our take: the most important protections are free. Paid services add convenience and insurance but are not necessary for most people. If you want peace of mind, a $10/month service is reasonable. If you prefer to save $120/year, the free tools in this guide provide the same core protection.

Frequently Asked Questions

Does a credit freeze affect my existing credit cards?

No. Your current cards, loans, and bank accounts work completely normally. The freeze only prevents new credit accounts from being opened using your credit report. You can continue to use existing credit cards, make purchases, and receive statements exactly as before. Lenders you already have a relationship with can still access information needed to service existing accounts — only new applications from new lenders are blocked.

How do I unfreeze my credit to apply for a new card or loan?

Log into each bureau’s website using the account you created when freezing and temporarily lift the freeze. You can set it to lift for 1 day, 1 week, or a specific date range — it refreezes automatically. Most lenders will tell you which bureau they pull (Equifax, Experian, or TransUnion) when you ask. You only need to lift the freeze at the bureau the lender uses. For a mortgage, lenders often pull all three, so you would lift all three briefly. The process takes about 3 to 5 minutes per bureau.

Is a credit freeze the same as a fraud alert?

No — they are different tools with different strength. A credit freeze completely blocks access to your credit report, preventing any new account from being opened. A fraud alert stays on your file and tells creditors to verify your identity before approving new accounts — but it depends on the creditor actually checking and complying. A freeze is always stronger. If you can only do one, do the freeze. If you have been a victim of identity theft, do both. A fraud alert can be placed at one bureau (which notifies the others); a freeze must be placed at each bureau separately.

My data was exposed in a data breach. What should I do?

First: freeze your credit if you have not already. Second: change the password for the breached service immediately, and change any other account that used the same password (this is why password reuse is so dangerous). Third: enable 2FA on the breached account if you have not already. Fourth: monitor your credit reports at AnnualCreditReport.com for the next 6 to 12 months for any unfamiliar accounts. If the breached company offers free credit monitoring as compensation, accept it — it adds another monitoring layer. If your SSN was exposed in the breach, also get an IRS IP PIN and create an account at ssa.gov.

Can identity theft affect my credit score?

Yes, significantly. Fraudulent accounts opened in your name, hard inquiries from applications you did not make, and missed payments on accounts you did not open can all damage your credit score. Disputing and removing these items restores your score, but the process takes 30 to 90 days. This is why the credit freeze is so important — preventing fraudulent accounts from being opened in the first place is far easier than cleaning them up after the fact.

Should I freeze my children’s credit?

Yes — especially for children under 16 who cannot check their own credit. Children’s SSNs are particularly valuable to identity thieves because there is no credit activity to trigger alerts, and the fraud may not be discovered until the child turns 18 and applies for their first credit card or student loan. Each bureau has a specific process for minor freezes, typically requiring you to mail a request with documentation proving guardianship. It is worth the effort. A child discovering at 18 that their credit has been destroyed is a devastating financial setback that can take years to resolve.

What is SIM-swapping and how do I protect against it?

SIM-swapping is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they control your number, they receive all your text messages — including 2FA verification codes — and can use them to reset passwords and access your accounts. Protection: (1) Use an authenticator app (Google Authenticator, Authy) instead of SMS for 2FA — these codes are generated on your device, not sent via your phone number, so a SIM swap cannot intercept them. (2) Add a PIN or passcode to your mobile account that must be provided before any changes can be made. (3) Some carriers offer SIM lock features — check if yours does. SMS-based 2FA is still better than no 2FA, but authenticator apps are significantly more secure.

How do I know if I am a victim of identity theft if I have not noticed anything wrong?

Warning signs you may be a victim even without obvious fraud: unexplained drops in your credit score, unfamiliar accounts or hard inquiries on your credit report, debt collection calls for accounts you did not open, bills for services you did not use, being denied credit unexpectedly, or receiving tax notices about income you did not earn. The most proactive approach: pull your full credit reports from all three bureaus at AnnualCreditReport.com and review every line. Sign up for free monitoring at Credit Karma (alerts on new accounts). Check your Social Security earnings record at ssa.gov for unexpected income you did not earn. Many victims discover fraud months or years after it started — early detection through regular monitoring is the key to limiting damage.

The bottom line

Identity theft prevention is not optional in 2026. Your data is already out there. The question is whether you have the layers of protection in place to prevent someone from using it.

Freeze your credit. Use a password manager. Enable 2FA. These three actions — all free — block the vast majority of identity theft attempts. The checklist above tracks your progress. The risk assessment above tells you which gap to close first.

Do it today. Not tomorrow. Not next week. Today. Your financial identity is worth 30 minutes of setup.

Next steps:

• Building the credit you want to protect? Read our credit score guide — a 740+ score saves tens of thousands on mortgages and auto loans.
• Want fraud protection on your everyday spending? Read our best beginner credit cards guide — credit cards offer far stronger fraud protection than debit cards.
• Protecting your investments too? Enable 2FA on your brokerage accounts (Fidelity, Schwab, Vanguard) and review our Fidelity review for platform-specific security features.