You can stop identity theft by layering a few key defenses: freezing your credit at all three bureaus, using strong authentication on every account, and monitoring your financial statements closely. If theft has already happened, acting within the first 48 hours dramatically limits your financial exposure and speeds recovery. Here’s how to lock things down, whether you’re preventing theft or responding to it.
Freeze Your Credit at All Three Bureaus
A credit freeze is the single most effective step you can take to prevent new-account fraud. It blocks lenders from pulling your credit report, which means no one can open a credit card, auto loan, or mortgage in your name. Freezes are free by law, and you can place one online, by phone, or by mail with each of the three major credit bureaus: Equifax, Experian, and TransUnion.
You need to freeze your file at all three separately. A freeze at Equifax does nothing to stop a thief who applies with a lender that checks Experian. When you submit your request online or by phone, the bureau must freeze your report within one business day. By mail, it takes up to three business days.
A freeze doesn’t affect your credit score, and it won’t interfere with your existing accounts. When you need to apply for credit yourself, you can temporarily lift the freeze. Online or phone requests to unfreeze must be processed within one hour, so you won’t be stuck waiting when you’re at a car dealership or closing on a house. Each bureau gives you a PIN or password when you set up the freeze. Store these somewhere secure, because you’ll need them to lift or remove the freeze later.
Lock Down Your Digital Accounts
Most identity theft now starts with a compromised online account, whether that’s your email, a bank login, or a shopping site where your card is stored. The goal is to make every account hard to break into, even if your password leaks in a data breach.
Use a unique password for every account. A password manager generates and stores them so you don’t have to remember dozens of random strings. If you reuse a password across sites, a breach at one company hands thieves the keys to everything else.
Turn on multi-factor authentication (MFA) wherever it’s available. MFA means you need a second proof of identity beyond your password, usually a code from an app or a prompt on your phone. The strongest option available to most people right now is a passkey, which major platforms like Apple, Google, and Microsoft all support. Passkeys are tied to the specific website you’re logging into, so they can’t be tricked by a fake phishing page the way a text-message code can. If passkeys aren’t available for a given account, an authenticator app is the next best choice. SMS codes are better than nothing, but they’re the weakest form of MFA because phone numbers can be hijacked through SIM-swapping.
Pay special attention to your primary email account. If a thief gets into your email, they can reset passwords on nearly everything else you use. Your email should have the strongest authentication you can set up.
Monitor Your Accounts and Reports
Freezing credit and securing passwords are preventive walls. Monitoring is your alarm system. Check your bank and credit card transactions at least weekly, either through your bank’s app or by reviewing statements. The sooner you spot a charge you didn’t make, the less damage a thief can do and the less you’ll owe.
You’re entitled to free credit reports from each bureau through AnnualCreditReport.com. Reviewing your reports regularly lets you catch accounts you didn’t open, addresses you’ve never lived at, or hard inquiries you didn’t authorize. Set a calendar reminder to pull a report every few months, rotating between bureaus so you’re checking throughout the year.
Many banks and credit card issuers also offer free transaction alerts. Turn these on so you get a notification any time a purchase exceeds a dollar amount you set, or any time your card is used for an online or international transaction. Real-time alerts let you call your bank within minutes of a fraudulent charge.
Know Your Liability Limits
Federal law caps what you owe for unauthorized charges, but the rules differ depending on whether you’re dealing with a credit card or a debit card.
For credit cards, your maximum liability for unauthorized charges is $50, and most major issuers waive even that. For debit cards and other electronic fund transfers, the math depends on how fast you act. If you report a lost or stolen card within two business days of learning about it, your liability is capped at $50. Wait longer than two days but report within 60 days of your statement being sent, and you could be on the hook for up to $500. Miss that 60-day window entirely, and you could lose everything the thief took after the deadline, with no cap at all.
This is why debit card fraud is more dangerous than credit card fraud in dollar terms. If someone drains your checking account, the money is gone while you dispute it. With a credit card, the charge sits on a statement while the issuer investigates, and you’re not paying out of pocket during that process. For everyday spending, using a credit card (paid off monthly) gives you a stronger safety net than a debit card.
What to Do If Theft Has Already Happened
If you discover unauthorized charges, new accounts in your name, or other signs that your identity has been stolen, speed matters. Here’s the sequence that limits damage fastest:
- Contact your bank or card issuer immediately. Report the unauthorized transactions and ask them to freeze or close the compromised account. For debit cards, getting this done within two business days keeps your liability at $50 or less.
- Place fraud alerts or credit freezes. A fraud alert is a lighter step than a freeze. You only need to contact one bureau, and it’s required to notify the other two. The alert tells lenders to verify your identity before opening new credit. A freeze is stronger because it blocks access entirely.
- File a report at IdentityTheft.gov. This is the FTC’s official recovery site. You answer questions about what happened, and the site generates a personalized recovery plan with pre-filled letters and forms you can send to creditors, debt collectors, and the bureaus. If you create an account, it tracks your progress and updates your plan as your situation changes.
- File a police report. Some creditors and bureaus require a police report before they’ll remove fraudulent accounts. Bring your FTC identity theft report with you, as many police departments use it to streamline the process.
- Dispute fraudulent accounts and charges. Contact each company where a thief opened an account or made charges. Send them your FTC recovery plan documents and ask them to close the fraudulent account and remove it from your credit report. Follow up with the credit bureaus directly to dispute any inaccurate information that remains on your report.
Protect Against Phone and AI Scams
Identity thieves don’t always hack accounts directly. Social engineering, where someone tricks you into handing over information, remains one of the most common attack methods. Phishing emails impersonate banks, employers, or government agencies. Phone scams use urgency and fear to get you to share account numbers or Social Security digits.
AI-generated voice cloning has made phone scams harder to detect. A thief can use a short clip of someone’s voice, pulled from social media or a voicemail, to create a convincing fake call that sounds like a family member in trouble. The best defense is a pre-arranged code word that your family agrees on. If someone calls claiming to be your child or parent and asks for money, ask for the code word. No legitimate emergency will be derailed by a five-second verification.
As a general rule, never share personal information in response to an unexpected call, text, or email, even if it appears to come from your bank or a government agency. Hang up and call the organization directly using the number on their official website or on the back of your card. Legitimate institutions will never pressure you to act immediately or threaten you with arrest over the phone.
Secure Your Mail and Physical Documents
Not all identity theft is digital. Stolen mail is still a common source of account numbers, Social Security numbers, and pre-approved credit offers. If you don’t have a locking mailbox, consider signing up for USPS Informed Delivery, which emails you images of incoming mail so you can spot if something goes missing.
Shred documents that contain account numbers, Social Security numbers, or other sensitive information before discarding them. This includes old bank statements, tax forms, insurance paperwork, and pre-approved credit card offers. Opt out of pre-approved credit offers by calling 1-888-5-OPT-OUT (1-888-567-8688), which removes your name from the marketing lists the bureaus sell to lenders. Fewer offers in your mailbox means fewer opportunities for a thief to intercept one and open an account in your name.
Store important documents like your Social Security card, passport, and birth certificate in a secure location at home rather than carrying them in your wallet. You rarely need your Social Security card in person, and losing it creates an unnecessary risk.