A practical first-response manual for the moment you realize someone may be using your identity, your accounts, your SSN, or your credit
This is one of those situations where the first day matters because panic makes people do the wrong things in the wrong order.
They:
- change random passwords but ignore email
- call the wrong company first
- forget to freeze credit
- focus on shame instead of containment
- wait too long because they are not sure it is “serious enough”
The first rule is simple:
Treat identity theft like containment, not philosophy.
Your first 24 hours are for:
- stopping further damage
- securing key accounts
- locking down new-credit risk
- creating a report trail
- moving in the right order
The FTC says the central federal recovery hub is IdentityTheft.gov, which lets you report identity theft and get a personalized recovery plan. FTC guidance also says credit freezes and fraud alerts are free tools that can make it harder for thieves to open new accounts in your name. (Consumer Advice)
1) What this manual is for
Use this if:
- you found accounts you did not open
- your bank or card shows unauthorized transactions
- your email or phone account was taken over
- a lender says you applied for credit when you did not
- your SSN may have been exposed or used
- a tax return was filed in your name
- a breach notice plus suspicious activity makes this feel real
This guide is mainly U.S.-focused because the recovery system, reporting flow, and credit-file tools are highly U.S.-specific. The FTC’s IdentityTheft.gov and AnnualCreditReport’s official guidance are the main anchors here. (IdentityTheft.gov)
2) The first hour: do these first
Do this in order:
- Secure your email account first.
- Change the password from a clean device if possible.
- Review whether recovery email, phone number, or MFA settings were changed.
- Lock or secure any bank/card accounts that show unauthorized use.
- Freeze your credit with all three bureaus.
- Report the identity theft at IdentityTheft.gov.
- Pull and review your credit reports.
- If tax identity theft is involved, follow IRS identity-theft steps too.
Why email first? Because email is often the control tower for password resets, bank alerts, account recovery, and takeover expansion. Then credit freeze comes early because a security freeze is designed to stop new credit, loans, and services from being opened in your name without permission. (annualcreditreport.com)
3) Do not start with the wrong moves
Avoid these in the first few hours:
- do not only post about it online
- do not only change one password and assume you are done
- do not start by calling ten places randomly
- do not give the same compromised email priority as your bank account
- do not ignore your credit file if new-account fraud is possible
- do not delay reporting because you feel embarrassed
The FTC is explicit that IdentityTheft.gov is the place to report identity theft and get a recovery plan, and AnnualCreditReport says suspicious accounts or activity on your reports can be signs of identity theft that require review. (Consumer Advice)
4) Freeze your credit early
A security freeze is one of the strongest first-day moves when the risk includes new accounts or credit abuse. AnnualCreditReport says a security freeze helps prevent credit, loans, and services from being opened in your name without your permission, and it must be requested with each of the three credit reporting companies. (annualcreditreport.com)
Practical rule
If identity theft may involve your SSN, your credit profile, or unknown account opening, freeze first.
Important distinction
A freeze is not the same as a fraud alert.
FTC guidance says both are free, both can help, but they work differently. A fraud alert tells businesses to verify your identity before issuing new credit; a freeze more directly blocks access to your report for new-credit decisions until you lift it. FTC guidance also notes that an extended fraud alert can last seven years if you have an FTC identity theft report or police report. (Consumer Advice)
5) Fraud alert vs freeze
If you want the simpler, stronger first move for serious identity theft risk, a freeze is usually the sharper tool.
Fraud alert
Useful if:
- you suspect risk
- you want lenders warned to verify identity
- you want an easier, lighter step than a full freeze
AnnualCreditReport says you can place an initial fraud alert as soon as you suspect identity theft. (annualcreditreport.com)
Security freeze
Useful if:
- new-account fraud is a real concern
- your SSN or core identity data may be exposed
- you want to make new credit opening much harder
AnnualCreditReport’s security-freeze guidance says freezes are meant to stop new credit, loans, and services from being opened in your name without permission. (annualcreditreport.com)
6) Report it at IdentityTheft.gov
FTC guidance is very clear here: report identity theft through IdentityTheft.gov. When you report there, you can get:
- an Identity Theft Report
- a personalized recovery plan
- step-by-step advice tailored to the problem you describe. (Consumer Advice)
Why this matters
Do not waste the first day inventing your own recovery workflow from random internet threads. Use the official recovery system first.
Practical rule
Even if you are not yet sure how big the damage is, reporting early gives you structure.
7) Review your credit reports
AnnualCreditReport says suspicious activity or accounts you do not recognize can be signs of identity theft, and reviewing all three reports helps you catch problems early. (annualcreditreport.com)
What to look for
- accounts you never opened
- inquiries you do not recognize
- addresses you never used
- names or employers that are wrong
- collection accounts that are unfamiliar
- credit cards, loans, or utilities that are not yours
Practical rule
Do not assume one weird account is the whole story.
8) If bank or card fraud already happened
If existing accounts were used, lock down the money side immediately.
Do this:
- call the bank or card issuer using the official number
- report unauthorized activity
- ask whether the card/account should be locked, replaced, or monitored
- ask what fraud claim or affidavit process they require
- review recent transactions, not just the one you noticed
This is not just about getting money back. It is about stopping follow-on use and documenting the timeline.
9) Secure the real choke points
In identity theft, some accounts matter more than others because they control recovery.
Secure these first:
- primary email
- main mobile carrier account
- banking logins
- major credit cards
- password manager, if you use one
- cloud storage tied to scans/docs
- tax account access if tax theft is possible
Why this matters
If a thief controls your email or mobile number, they may control your password resets and one-time codes too.
10) If tax identity theft is involved
If you learn your tax identity may have been used, IRS guidance says identity-theft victims should follow IRS identity-theft procedures, and recent IRS guidance explains that victims who cannot e-file may need to file a paper return and use Form 14039 in appropriate cases. The IRS also offers an Identity Protection PIN, a six-digit number that helps prevent someone else from filing a return using your SSN or ITIN. (IRS)
Use this branch if:
- your e-filed return was rejected because one was already filed
- you got IRS notices that do not make sense
- wage/tax records look wrong
- someone used your SSN in a tax context
Practical rule
Tax identity theft is its own lane. Do not treat it like ordinary card fraud.
11) If it started with a breach notice
A breach notice alone is not always identity theft. But it is enough to justify protective action.
FTC breach guidance says if your information was exposed in a data breach, you should go to IdentityTheft.gov/databreach to learn protective steps. AnnualCreditReport also explains that data breaches can create serious personal and financial risk. (Consumer Advice)
Practical rule
If the breach included SSN, financial-account data, or core identity details, act as if your exposure is meaningful, not hypothetical.
12) What to document in the first day
Keep one plain record:
- when you discovered it
- what account or sign triggered concern
- what companies you contacted
- what case/reference numbers you received
- what steps you took
- what unauthorized accounts or transactions you found
This is not busywork. It prevents confusion when multiple institutions ask for the same story later.
13) If your phone number or SIM may be compromised
If texts stop arriving, MFA breaks, or your carrier account behaves strangely, treat that as serious.
Do this:
- contact the carrier through official support
- ask whether there was a SIM swap, port-out, or profile change
- secure carrier PINs or passcodes
- treat the phone account like a core identity asset, not a convenience account
Why this matters
A compromised phone line can break login recovery across other services.
14) The three biggest mistakes in the first 24 hours
Mistake 1: changing random passwords while leaving email exposed
That is backwards.
Mistake 2: skipping the credit freeze
If the risk includes new credit, delay helps the thief, not you. AnnualCreditReport says freezes help stop new credit, loans, and services from opening in your name. (annualcreditreport.com)
Mistake 3: not using the official recovery path
FTC says IdentityTheft.gov is the federal reporting and recovery hub. Use it. (IdentityTheft.gov)
15) The right order for the first 24 hours
If you want the simplest sequence:
First 2 hours
- secure email
- lock bank/card access if needed
- freeze credit
- report at IdentityTheft.gov
Same day
- pull credit reports
- identify unknown accounts/inquiries
- contact affected institutions
- document everything
If tax-related
- follow IRS identity-theft process
- consider an IP PIN path for protection going forward. (IRS)
That order is more useful than trying to solve the entire identity-theft universe at once.
16) What to say when calling institutions
Keep it tight.
For a bank/card issuer
I believe I’m a victim of identity theft or unauthorized use and need to secure this account, review recent activity, and understand the fraud process.
For a credit bureau / freeze workflow
I need to place a security freeze because I suspect identity theft.
For your notes
Always record the case number and the name or ID of the representative.
17) Panic-mode version
If your brain is fried, do only this:
- secure your main email
- lock affected bank/card accounts
- freeze credit with all three bureaus
- report at IdentityTheft.gov
- pull your credit reports
- write down what happened and when
That is enough for today.
18) One-paragraph summary
If you suspect identity theft, use the first 24 hours for containment. The FTC says IdentityTheft.gov is the federal site to report identity theft and get a personalized recovery plan. FTC and AnnualCreditReport guidance also make clear that credit freezes and fraud alerts are free tools that help stop identity thieves from opening new accounts, with freezes being the stronger block for new-credit risk. Review all three credit reports for unfamiliar accounts or inquiries, secure core accounts like email and banking first, and follow separate IRS steps if tax identity theft is involved, including the Identity Protection PIN path where relevant. (IdentityTheft.gov)
Must-reads:
Micro Crisis Survival Manual #3: Your Parent Scam Shield
31 Days of Money Confidence (Without Getting Scammed)
