from Guide to Adulting on Oct 8, 2023

How to fight identity theft

According to usa.gov, if your personal or financial information was used without your permission, you are a victim of identity theft. Maybe your data was leaked in a breach, you lost your wallet, or you received a notice about an unrecognized debt. These are all scary prospects, and if it's a reality for you, follow the steps in this post.

Before diving in, there are a few ground rules:

Do not pay for identity theft recovery. No paid service will report and handle identity theft for you; if a service claims to, it's a scam.
Monitoring $\neq$ protection. Paid services offer to monitor your information for leaks, but monitoring doesn't protect you when a leak does happen. We'll discuss how to protect yourself for free.
Don't trust random webpages ¹. Use official government resources where available. I'm not asking you to trust me either: Every link in this post is an official government or company webpage.

Victims: Obtain an Identity Theft Report immediately.

Follow these steps immediately if you're a victim of identity theft. At minimum, start on all of these steps within the first few hours.

Keep track of all communication. Write down who you communicated with and when, in addition to how — record phone numbers and email addresses in case you need to reach out to them again.
- Create a spread with who, when, and how for all your communications. If you send physical mail, register for tracking and mail receipts to ensure delivery.
Obtain an Identity Theft Report. This report grants victims like you several invaluable protections. See this FTC memo, addressed to law enforcement, that explains this in more detail. Companies may ask for Identity Theft Report to clear debts, close accounts, or dis-associate fraudulent information.
- Notify the FTC online at identitytheft.gov. Once you complete their forms, you'll additionally receive a checklist of items to go through. Save your FTC Identity Theft Report.
- Notify local law enforcement by looking up your local police department's "identity theft" page (e.g., SFPD's webpage for financial crimes or SPD's online reporting). If in-person, bring a copy of the FTC memo above. Law enforcement will generate a police report, which is now your Identity Theft Report.
Freeze or close accounts at the companies where fraud occurred. Bring your Identity Theft Report, which grants you certain protections. Almost every organization — be it a bank, e-commerce company or government agency — has a fraud unit².
- For misuse of any government ID, search for <government ID> identity theft and contact the relevant agency's fraud unit. For example, say your driver's license was stolen. Contact the state agency where your license was issued (e.g., WA's DOL fraud unit or CA's DMV investigations office). They alone have your license number on file, to mark it as stolen.
- For unauthorized transactions, search for company fraud units using <company> fraud hotline. For example, Amazon has a fraud hotline and Bank of America has a hotline for stolen credit cards. These representatives can guide you through the steps needed to mitigate losses — freeze accounts, revert credit card transactions, or issue new card numbers.
- Place a fraud alert at any of the three credit bureaus (Equifax fraud alert, Experian fraud alert, Transunion fraud alert). The companies are then mandated by law to then share this fraud alert with the other two companies.
- If you haven't already, for special accounts and forms of identity theft, see the FTC's official identity theft checklist for more specific guidance. For mail fraud, see the United States Postal Inspection Service's uspis.gov report page.

Resources above provide you with information. Many fraud reporting methods provide third parties with information and aren't designed to help you per se. For example, Amazon has a number of resources for reporting spoofing or fraudulent employment — the aim is for them to collect information. I suggest de-prioritizing these for now.

Protect yourself: Freeze, lock, and claim accounts.

It's scary to have your personal information exposed. However, many people's are, and you're not alone. More important than hiding your information though, is limiting what scammers can do with it.

The below can all be completed online immediately. Complete these within the first 24 hours of identity theft. Even if you haven't had your identity stolen, you can still follow these steps to protect yourself. Limit the scammers' possibilities, using the below:

Prevent credit fraud via credit freeze⁴. Place a freeze on your credit report at all three credit bureaus (Experian credit freeze, Equifax credit freeze, Transunion credit freeze) to ensure no one can open accounts in your name. You can temporarily un-freeze to open an account yourself. Note a credit freeze is free; the paid "credit lock" service they advertise is not necessary for a freeze.
Prevent employment identity fraud via SSN lock. Lock your SSN via the government's e-verify platform to ensure that no one can use your SSN to verify employment eligibility. When you change jobs, you can temporarily unlock your SSN. Lock your SSN at e-verify.gov.
Prevent tax return leaks with an IRS account. It's relative easy to create an IRS account: All that's needed is a photo of a government identity document and a photo of you, per this page. Additionally, an IRS account includes a lot of information — your past tax returns, income, bank account numbers, etc. So, create this account before someone else with your leaked information can, at irs.gov.
Prevent tax fraud via an Identity Protection PIN (IP PIN). An IP PIN ensures that no one can submit a tax return, claim a tax refund, or access your previously-filed tax returns without your IP PIN. Naturally, when conducting any of those activities, you'll need to use your PIN. Create your IP PIN at irs.gov.
Protect your social security benefits with an SSA account. Just like with the IRS, create an account with the Social Security Adminstration (SSA) so you're ready to claim your social security benefits, before someone else with your leaked information can. Create an account at ssa.gov.

The above are your highest priorities. After completing this list, you have a few key bases covered. To see the full breadth of possible protections, see this list of consumer reporting agencies on the Consumer Financial Protection Bureau's "Consumer Reporting Companies" list, which you can place additional security freezes at. Notable entries include ChexSystems (.gov page, used by banks), LexisNexis (.gov page, used by insurance companies) and the NCTUE (.gov page, used by utility companies).

Use consumer reports to assess scope of theft

Next, understand the full scope of identity theft.

Obtain your credit report. You can obtain credit reports for free from annualcreditreport.com, Experian, Equifax, or TransUnion (linked from the FTC's official Identity Theft checklist under "Step 2"). Check for unexpected inquiries, accounts, or information (e.g., an unknown address). If you find any discrepancies, submit a dispute online. See the FTC's "Free Credit Reports" article for more.
Determine what personal information is exposed. All three of the credit bureaus offer free web scans for your personal information. This can include your SSN, addresses, phone numbers, and more.
Determine which accounts are compromised. Use monitor.firefox.com, which lists data breaches by email address. Although not all breaches include account login credentials, this can give you a sense of roughly when information was leaked.
Determine which passwords are exposed. To search for breach information by password, use a password manager. Many popular password managers will monitor the web, and even the dark web, to see if your passwords have been exposed. This includes 1password, Google Password, and Bitwarden⁵.

Sign up for alerts from the above services, to know when your information is leaked. Additionally, use the information above to determine which accounts need password resets and whether or not you need to expand your list of security freezes. If you find yourself in another critical data breach, see the FTC's checklist for data breaches.

Maintain identity health over time

The below are lower priority items that you can slowly do over time. However, they're still important — any additional personal information exposed is now more valuable, when combined with your previously-exposed information. The below is just my own opinions and guidelines; employ them (or not) as you see fit.

Use a password manager. I know this tip is repeated way too often, but in addition to stronger randomized passwords and password monitoring, password managers also give you an overview of all your accounts. This makes improving your "identity health" (including the below steps) much easier, by showing where your accounts are.
Don't use "Login with X" for accounts with valuables or payment information. This also applies to your random Godiva account with a credit card saved. The idea is: If your Facebook account was compromised, limit what the unauthorized user can access.
Don't use the "Do Not Call" (DNC) list. Many people have reported receiving an increased amount of spam calls after joining DNC on reddit. In short, DNC is only for US-based, law-abiding companies. It goes without saying that these spam calls don't come from US-based, law-abiding companies to begin with.
Remove credit card information where possible. In short, use services such as Apple Pay, Google Pay, or Paypal instead, so that (1) the vendor never receives actual credit card information³ and (2) hackers with access to your account can't make additional purchases.

The above can either prevent or mitigate the impact of future information leaks. In short, just as your physical and financial health is extremely important, so is your "identity health". Whether it be annually, quarterly, or monthly, make it a habit to check up on your identity health every so often.

I hope this guide saves you time and stress. However, I'm not an expert, and I can't guarantee this guide is "enough" to protect you. The above is my best-effort distillation of various resources around the web; when in doubt and for further information, see the FTC's official resources on Identity Theft.

← back to Guide to Adulting

Search results on Google can lead to scams too. NPR reported in 2017 that "Searching for ‘Facebook Customer Service' can lead to a scam." In 2019, a Google "Product Expert" noted a similar scam issue with Google. ↩
There are certainly exceptions, most infamously Facebook. Vox prominently cites Facebook in its article from early 2023 on "The death of the customer service hotline", for not having a customer help desk. ↩
According to Wikipedia's article on Apple Pay, the Apple Pay service sends a per-transaction token instead of your credit card information. This ensures that a vendor can't fraudulently make additional purchases with your information. ↩
A credit freeze is the strongest protection you can possibly place on your credit report. A fraud alert leaves a note on your credit report, and inquirers are asked to double-check your identity. However, a fraud alert is just that — a note. It doesn't stop anyone from accessing your credit report. A credit freeze on the other hand actually stops inquirers from accessing your credit report; in turn, this prevents anyone else from using your information to open an account that requires a credit check. For more information, see the FTC's "What to know about credit freezes and fraud alerts". ↩
I have excluded Lastpass due to a previous security breach which led to significant financial losses for its customers, as reported by the Verge. ↩