from Guide to Adulting on Oct 8, 2023

How to fight identity theft

According to, if your personal or financial information was used without your permission, you are a victim of identity theft. Maybe your data was leaked in a breach, you lost your wallet, or you received a notice about an unrecognized debt. These are all scary prospects, and if it's a reality for you, follow the steps in this post.

Before diving in, there are a few ground rules:

  1. Do not pay for identity theft recovery. No paid service will report and handle identity theft for you; if a service claims to, it's a scam.
  2. Monitoring $\neq$ protection. Paid services offer to monitor your information for leaks, but monitoring doesn't protect you when a leak does happen. We'll discuss how to protect yourself for free.
  3. Don't trust random webpages 1. Use official government resources where available. I'm not asking you to trust me either: Every link in this post is an official government or company webpage.

Victims: Obtain an Identity Theft Report immediately.

Follow these steps immediately if you're a victim of identity theft. At minimum, start on all of these steps within the first few hours.

  1. Keep track of all communication. Write down who you communicated with and when, in addition to how — record phone numbers and email addresses in case you need to reach out to them again.

    • Create a spread with who, when, and how for all your communications. If you send physical mail, register for tracking and mail receipts to ensure delivery.
  2. Obtain an Identity Theft Report. This report grants victims like you several invaluable protections. See this FTC memo, addressed to law enforcement, that explains this in more detail. Companies may ask for Identity Theft Report to clear debts, close accounts, or dis-associate fraudulent information.

    • Notify the FTC online at Once you complete their forms, you'll additionally receive a checklist of items to go through. Save your FTC Identity Theft Report.
    • Notify local law enforcement by looking up your local police department's "identity theft" page (e.g., SFPD's webpage for financial crimes or SPD's online reporting). If in-person, bring a copy of the FTC memo above. Law enforcement will generate a police report, which is now your Identity Theft Report.
  3. Freeze or close accounts at the companies where fraud occurred. Bring your Identity Theft Report, which grants you certain protections. Almost every organization — be it a bank, e-commerce company or government agency — has a fraud unit2.

    • For misuse of any government ID, search for <government ID> identity theft and contact the relevant agency's fraud unit. For example, say your driver's license was stolen. Contact the state agency where your license was issued (e.g., WA's DOL fraud unit or CA's DMV investigations office). They alone have your license number on file, to mark it as stolen.
    • For unauthorized transactions, search for company fraud units using <company> fraud hotline. For example, Amazon has a fraud hotline and Bank of America has a hotline for stolen credit cards. These representatives can guide you through the steps needed to mitigate losses — freeze accounts, revert credit card transactions, or issue new card numbers.
    • Place a fraud alert at any of the three credit bureaus (Equifax fraud alert, Experian fraud alert, Transunion fraud alert). The companies are then mandated by law to then share this fraud alert with the other two companies.
    • If you haven't already, for special accounts and forms of identity theft, see the FTC's official identity theft checklist for more specific guidance. For mail fraud, see the United States Postal Inspection Service's report page.

Resources above provide you with information. Many fraud reporting methods provide third parties with information and aren't designed to help you per se. For example, Amazon has a number of resources for reporting spoofing or fraudulent employment — the aim is for them to collect information. I suggest de-prioritizing these for now.

Protect yourself: Freeze, lock, and claim accounts.

It's scary to have your personal information exposed. However, many people's are, and you're not alone. More important than hiding your information though, is limiting what scammers can do with it.

The below can all be completed online immediately. Complete these within the first 24 hours of identity theft. Even if you haven't had your identity stolen, you can still follow these steps to protect yourself. Limit the scammers' possibilities, using the below:

The above are your highest priorities. After completing this list, you have a few key bases covered. To see the full breadth of possible protections, see this list of consumer reporting agencies on the Consumer Financial Protection Bureau's "Consumer Reporting Companies" list, which you can place additional security freezes at. Notable entries include ChexSystems (.gov page, used by banks), LexisNexis (.gov page, used by insurance companies) and the NCTUE (.gov page, used by utility companies).

Use consumer reports to assess scope of theft

Next, understand the full scope of identity theft.

Sign up for alerts from the above services, to know when your information is leaked. Additionally, use the information above to determine which accounts need password resets and whether or not you need to expand your list of security freezes. If you find yourself in another critical data breach, see the FTC's checklist for data breaches.

Maintain identity health over time

The below are lower priority items that you can slowly do over time. However, they're still important — any additional personal information exposed is now more valuable, when combined with your previously-exposed information. The below is just my own opinions and guidelines; employ them (or not) as you see fit.

The above can either prevent or mitigate the impact of future information leaks. In short, just as your physical and financial health is extremely important, so is your "identity health". Whether it be annually, quarterly, or monthly, make it a habit to check up on your identity health every so often.

I hope this guide saves you time and stress. However, I'm not an expert, and I can't guarantee this guide is "enough" to protect you. The above is my best-effort distillation of various resources around the web; when in doubt and for further information, see the FTC's official resources on Identity Theft.

back to Guide to Adulting

  1. Search results on Google can lead to scams too. NPR reported in 2017 that "Searching for ‘Facebook Customer Service' can lead to a scam." In 2019, a Google "Product Expert" noted a similar scam issue with Google

  2. There are certainly exceptions, most infamously Facebook. Vox prominently cites Facebook in its article from early 2023 on "The death of the customer service hotline", for not having a customer help desk. 

  3. According to Wikipedia's article on Apple Pay, the Apple Pay service sends a per-transaction token instead of your credit card information. This ensures that a vendor can't fraudulently make additional purchases with your information. 

  4. A credit freeze is the strongest protection you can possibly place on your credit report. A fraud alert leaves a note on your credit report, and inquirers are asked to double-check your identity. However, a fraud alert is just that — a note. It doesn't stop anyone from accessing your credit report. A credit freeze on the other hand actually stops inquirers from accessing your credit report; in turn, this prevents anyone else from using your information to open an account that requires a credit check. For more information, see the FTC's "What to know about credit freezes and fraud alerts"

  5. I have excluded Lastpass due to a previous security breach which led to significant financial losses for its customers, as reported by the Verge.