Data Breaches13 min readJune 22, 2026

How to Recover from Identity Theft: A Complete Step-by-Step Action Plan

Discovering you're an identity theft victim is terrifying — but recovery is possible with the right steps. This guide walks you through exactly what to do immediately, how to clean up fraudulent accounts, restore your credit, and protect yourself from future theft.

Recovery support

Contain the damage, then harden the system that failed

Recovery comes first, but the highest-value next step is building a setup that makes repeat fraud harder and easier to spot.

Use NordProtect for ongoing monitoring

Best if you want alerts, recovery support, and a simpler way to spot new exposure after the initial cleanup.

Try NordProtect

Replace reused passwords with a manager immediately

A password manager is the fastest way to stop one exposed login from spreading to the rest of your accounts.

Choose a password manager

If this started with a breach, use the prevention guide next

Helpful for turning a one-time cleanup into a longer-term identity defense routine.

See prevention tools

You've Discovered Identity Theft: What to Do Right Now

Identity theft can feel catastrophic when you first discover it. Maybe your credit card was declined for a purchase you didn't make. Maybe you received a collection notice for an account you never opened. Maybe the IRS rejected your tax return because someone else already filed using your Social Security number. Whatever the trigger, the first hours matter — and a clear action plan turns a crisis into a recoverable situation.

Recovery takes time — typically weeks to months for full resolution — but every step you take closes an attack vector and brings you closer to restoration. The FTC's identity theft recovery program at identitytheft.gov is the official US government resource; this guide walks through the full process systematically, from immediate containment through long-term monitoring.

Step 1: Contain the Damage Immediately

The first priority is stopping ongoing fraud. While you're working through documentation, new fraudulent accounts may still be opening. Containment first.

Place fraud alerts or freeze your credit immediately. A fraud alert requires lenders to verify your identity before opening new accounts and takes effect in minutes. Place it at one bureau — Equifax, Experian, or TransUnion — and that bureau is required by law to notify the other two. For stronger protection, place a full security freeze at all three bureaus plus specialty agencies (ChexSystems, EWS, NCTUE, Innovis). See our complete credit freeze guide for step-by-step instructions.

Change passwords on compromised accounts immediately. If you know or suspect an account was accessed, change its password to a strong, unique one right now. Start with email — email compromise enables attackers to reset every other account. Use our free password generator to create a strong replacement and store it in a password manager. If you've been reusing passwords, change them everywhere that shares the compromised password. Our guide on password reuse risks explains why this is urgent.

Contact the financial institution directly. If the fraud involves a bank account, credit card, or investment account, call the institution's fraud line immediately. Every major financial institution has a 24/7 fraud hotline on the back of your card or on their website. Report the unauthorized transactions, request a chargeback, and ask them to issue new account numbers and cards. Request written confirmation of every conversation.

Document everything from the start. Create a folder — physical or digital — for every piece of correspondence, confirmation number, representative name, and date/time of every call. Recovery involves coordinating across many institutions and agencies, and documentation is what protects you in disputes.

Step 2: Report to the FTC

The Federal Trade Commission's identity theft report at identitytheft.gov is the official US government reporting mechanism and one of the most useful tools in the recovery process.

Filing an FTC report takes about 10-15 minutes. You'll describe what happened and what type of fraud occurred. The site generates two important outputs: an Identity Theft Report (a signed declaration you can send to creditors and bureaus) and a personalized recovery plan with specific action steps tailored to your type of fraud (new accounts, tax fraud, medical identity theft, etc.).

The Identity Theft Report has legal standing. Under the Fair Credit Reporting Act, sending this report to a credit bureau requires them to block fraudulent accounts and inquiries from your credit report within 4 business days of receiving it. This is more powerful than a standard dispute.

Save and print your FTC report — you'll reference it in virtually every subsequent step of the recovery process. If local law enforcement is involved (some creditors require a police report to process fraud claims), bring your FTC report to the police station as supporting documentation.

Step 3: Pull Your Credit Reports and Document All Fraud

You're entitled to free credit reports from all three bureaus at annualcreditreport.com. Pull all three immediately — do not use any other site to pull reports, as many are scams or subscription traps. Review every account, inquiry, and address on each report.

On your reports, look for:

  • Accounts you didn't open — credit cards, loans, retail accounts
  • Hard inquiries from lenders you didn't apply to
  • Addresses you haven't lived at
  • Employment history that isn't yours
  • Accounts with correct creditors but addresses or balances you don't recognize

Create a complete log of every fraudulent item: creditor name, account number (if shown), date opened, balance, and which bureau(s) it appears on. This list drives all subsequent dispute work.

For each fraudulent account, contact the creditor directly in addition to disputing through the bureaus. Creditors have their own fraud departments that can flag accounts, close them, and issue correction letters faster than the dispute process alone.

Step 4: Dispute Fraudulent Items with the Credit Bureaus

To remove fraudulent accounts and inquiries from your credit reports, file disputes with each bureau that shows the fraudulent item. You can dispute online, by phone, or by certified mail — certified mail provides the strongest paper trail and is recommended for serious fraud cases.

When disputing, include: your FTC Identity Theft Report, a copy of a government-issued ID, proof of your address (utility bill or bank statement), and a letter specifying each fraudulent item you're disputing. Send everything by certified mail with return receipt requested so you have proof of delivery and receipt date.

Under the FCRA, bureaus must investigate within 30 days of receiving your dispute. If the investigation confirms the fraud, the item must be removed. If a dispute is rejected, you can appeal with additional documentation and escalate to the CFPB (consumerfinance.gov) if necessary.

Keep copies of everything you send. When items are removed, request a corrected credit report to confirm the removal and keep it in your documentation folder.

Step 5: Address Specific Fraud Types

Different types of identity theft require targeted responses beyond the general credit process:

Tax fraud: If someone filed a tax return using your SSN, file a paper return with Form 14039 (IRS Identity Theft Affidavit) and your actual tax return attached. The IRS will flag your account and issue you an Identity Protection PIN — a 6-digit code required on all future returns. The IP PIN program is available to all taxpayers at irs.gov/identity-theft-central even before fraud occurs, and signing up proactively is strongly recommended.

Medical identity theft: Contact every healthcare provider and insurance company where fraudulent services were billed. Request an accounting of all disclosures of your health information (you're entitled to this under HIPAA). File a complaint with the Department of Health and Human Services. Incorrect medical records can have serious consequences beyond financial ones — fraudulent entries in your health history can affect your treatment.

Government benefits fraud (unemployment, Social Security, etc.): Contact the relevant agency directly (the Social Security Administration at ssa.gov for SSN misuse, your state unemployment office for unemployment fraud). File a report with the FTC on identitytheft.gov using the specific fraud category.

Utility and telecom fraud: If someone opened a phone plan, cable account, or utility in your name, contact the provider, dispute the charges, and check your ChexSystems and NCTUE reports — these agencies are used by telecom and banking institutions for new-account decisions.

Step 6: Clean Up Your Digital Security

While address the financial recovery, secure your digital life so the attacker can't re-enter or escalate.

Conduct a full password audit. Every account that shares a password with any compromised account needs a new, unique password. Install a password manager — NordPass or 1Password — to generate and store unique passwords going forward. This single step eliminates the credential stuffing risk that may have enabled the original breach.

Enable two-factor authentication on every account that offers it, particularly email, financial accounts, and social media. Even if an attacker has your password, 2FA prevents login without the second factor. See our 2FA guide for setup instructions across major platforms.

Review all active sessions on your email, social media, and financial accounts. Most platforms list active sessions in security settings — revoke anything unfamiliar. Check connected apps and third-party authorizations and revoke any you don't recognize or no longer use.

Scan your devices for malware. If your personal information was stolen via spyware or a keylogger rather than a data breach, the malware may still be present. Run a full scan with a reputable antivirus tool like Avast or McAfee. If you suspect deep compromise, consider resetting the device to factory settings and restoring from a clean backup.

Step 7: Monitor and Maintain Protection Long-Term

Identity theft recovery doesn't end when you resolve the immediate fraud. Stolen personal information circulates for years — your SSN and other identifying data don't expire, and criminals may wait months before using stolen credentials.

Keep your credit frozen unless you're actively applying for credit. A freeze provides permanent protection against new account fraud with no ongoing maintenance. Check annualcreditreport.com every few months to verify no new fraudulent accounts have appeared.

Set up dark web monitoring. Services like NordProtect continuously scan criminal databases and breach repositories for your personal information — SSN, email addresses, financial account details — and alert you immediately when anything new surfaces. This gives you advance warning before fraud occurs, not after. NordProtect also provides identity restoration support, including access to specialists who can help guide recovery if you're victimized again.

Consider an IRS Identity Protection PIN even if the original fraud didn't involve tax identity theft. It's free, available to all Americans, and prevents anyone else from filing a return using your SSN. Sign up at irs.gov/identity-theft-central.

Keep your documentation folder intact for at least 7 years. Extended fraud alerts last 7 years. Some fraudulent activity may resurface during that window. Your records protect you in any future disputes.

Recovery Timeline: What to Expect

Identity theft recovery is not instant. Setting realistic expectations helps you stay on track without feeling like the process is failing:

  • Days 1-3: Containment — freeze credit, change passwords, report to FTC, contact affected institutions
  • Week 1: Pull credit reports, document all fraud, send initial dispute letters, file police report if needed
  • Weeks 2-4: Follow up with creditors on each fraudulent account, respond to bureau dispute investigations
  • Month 1-3: Monitor dispute outcomes, appeal any rejections, confirm removals on corrected credit reports
  • Month 3-6: Address any remaining fraud types (tax, medical, government benefits) — these take longer
  • Ongoing: Monitor credit and dark web continuously; keep credit frozen when not actively needed

Recommended Tools

A complete identity theft recovery toolkit combines active monitoring, strong account security, and expert support:

  • NordProtect — Identity theft protection with continuous dark web monitoring, breach alerts, and identity restoration support. If you're recovering from theft, NordProtect's specialists can guide you through the process and help coordinate with agencies on your behalf.
  • NordPass — Zero-knowledge password manager to immediately replace reused passwords with strong, unique ones. Includes breach monitoring to flag any stored credentials that appear in new leaks.
  • 1Password — Password manager with Watchtower breach monitoring, identifying compromised, reused, or weak passwords across your vault — essential after a compromise.

Visit our full recommended tools guide for a complete security stack, and use our free password generator to start creating strong, unique passwords for every account today. For prevention, see our guide on what to do after a data breach and identity theft protection strategies.

Recommended next step

Compare identity protection tools

Breach alerts and recovery support are most useful before a leaked credential turns into account takeover.

Compare identity protection tools

Finish the hardening work

Keep Improving Your Account Security

#identity theft#identity theft recovery#credit fraud#FTC#fraud alert#credit freeze#data breach

🔒 Generate a Strong Password Now

Use our free tool to create cryptographically secure passwords for all your accounts.

Try the Password Generator →
Identity protection

Monitor breach exposure and get alerts before leaked credentials turn into account takeover.

Try NordProtect
Most secure

Open-source password manager trusted by millions. Free forever.

Get Bitwarden Free