Maybe you’re like me, and you receive a denial in the mail for a credit card you never applied to. Or maybe you start getting bills for things you never bought. Perhaps your first clue is when you look at your cell phone bill and suddenly see your phone plan changed and new phones you never bought. Whatever the case is, your identity has been stolen. I’ve been there – it was the least fun Christmas gift ever (surprise! We got you identity theft for the holidays!)
Was your identity not stolen but you’re looking for how to protect yourself? Go to my prior article on protecting your personal information
You could be kicking yourself – what did you do to cause this? Were you careless with your personal information? Did you click on a phishing email, or were you caught up in a fake website? The sad truth is that you could be the most well protected person on earth, with the strongest ID’s and passwords, a home security monitoring system, and keep all your paperwork in an offsite safe deposit box – and still have your data stolen. How? It’s not stolen from you. Instead it’s stolen from a company you do business with. Your health insurance company. A company you shop at. A loan company. One of the credit monitoring companies. Your data is out there online and there’s only so much you can control. So don’t kick yourself – take control and clean up the mess.
All right, let’s get going! If your identity has been stolen, what should you do now?
- Check and freeze your credit with Equifax, Transunion, Experian, Chexsystems, and Lexis Nexis
First, all about checking your credit. You are entitled to one free credit report each year from each of the three major credit companies (Experian, Transunion, Equifax). There is only one legitimate site to go to get them – www.annualcreditreport.com. You may have been checking your credit all along, but now it’s time to pull all three credit reports – right now. If you’re concerned the security of your computer may have been compromised, do this after installing anti-virus or do it on a work computer. Never pull these from an unsecure computer – you enter a ton of personal information onto the site, and you don’t want to make any theft worse.
So check all three and print them. If you’re an identity theft victim you can do this for free, even if you already got your free annual credit reports. Go line by line and look at the entire report. Check every single loan, credit card, and application for credit. There are two paths from here:
#1 – You don’t see anything wrong. Maybe you’re lucky like me and the thief got some – but not all – of your information. If this is the case go straight to freezing your credit.
#2 – There’s something wrong. There’s a credit card that’s not yours. A loan you never took out. You’ll need to get this fixed. Write down which credit agency has the wrong information – is it Experian, Transunion, Equifax, or some combination of them? Also write down all the details of the incorrect information – what company its with, loan numbers, loan amounts, addresses, whatever details you see. Make sure to print copies of the credit reports as well. You’re going to be doing a lot of mailing. After you’ve done this, go to the next paragraph to freeze your credit and prevent any additional damage while you clean this up.
Now why am I jumping straight to a freeze? After all, the companies offer a softer protection called a “fraud alert” you can put on your credit file. This flags your file for fraud but still lets companies pull your credit. I will say that this is easier on you, if you’re going to need someone to access your credit for a legitimate reason. However – this is much less secure. My identity thief had my personal information and a fake drivers license. Having a fraud alert requesting that I be identified wouldn’t have done much to deter them. But having a credit freeze locks thieves out of your credit, making it impossible for them to open cards or loans in your name. For about $30 at the most (varying by state) you can essentially put your credit file into a virtual safe deposit box in under half an hour.
So what’s the downside to the freeze? Well, you need to pay a small fee not only for the freeze, but also whenever you thaw your credit temporarily. It will be a slightly bigger hassle when you apply for a loan, some kinds of insurance, and possibly employment. You’ll need to ask the company you’re applying to for what credit company they use, and then thaw just that one using a temporary lift. If you’re going to be shopping around, the companies will let you thaw your credit for a few days to give you time.
I personally feel this downside is actually an upside, if you’re on a good financial path or you’ve struggled in the past with debt. It’s like adding two-factor authentication but for your finances. You can’t go out on a whim and buy a new car, get a home loan, or a credit card. And it ensures that any new credit being opened is really for you – not for some thief who got your data in the Anthem data breach or stole paperwork with your social security number on it. The biggest pain is that it would make travel hacking hard.
When I read this advice usually I only see the three credit companies talked about – Experian, Transunion, and Equifax. Now they’re important but there are two others you may never have heard of that you need to freeze as well: Chexsystems and Lexis Nexis.
What information do they keep about you? Get ready to be creeped out!
Chexsystems – excerpted from their website,
Chex Systems, Inc. (ChexSystems) is a nationwide specialty consumer reporting agency under the federal Fair Credit Reporting Act (FCRA). ChexSystems’ clients regularly contribute information on closed checking and savings accounts. ChexSystems provides services to financial institutions and other types of companies that have a permissible purpose under the FCRA. ChexSystems’ services primarily assist its clients in assessing the risk of opening new accounts.
LexisNexis – excerpted from their website,
LexisNexis® products are used by law enforcement officials, non-profit organizations, businesses, and government agencies for a host of important and socially beneficial purposes.
This includes items such as real estate transaction and ownership data, lien, judgment, and bankruptcy records, professional license information, and historical addresses on file.
Now both of those are a treasure trove of your personal data, accessible to many. I froze both so an identity thief can’t get my personal information from these companies. I also don’t want someone opening checking accounts in my name.
Check out the links at the end of this article to see how much a freeze will cost in your state, and freeze your credit now.
Also, once you’ve frozen your credit be sure to opt out of pre-approved credit card offers. Now with frozen credit you likely won’t get a lot of these, but it’s an important step to stopping mailed offers that may be intercepted by a criminal.
All right, now you’ve checked your credit to find out what the damage is and made notes of what happened. Next it’s time to file reports. Get ready to spend some time on this step, and go buy some stamps because we’re going to be using the US mail.
2. File a report with your local police department (not the department where the theft occurred), the FTC, the IRS, the credit reporting companies, and the company where the theft occurred
This step is not intuitive, and unfortunately when my identity was first stolen I didn’t know these things. Heck at first I tried calling the police department where the theft occurred, not my local department, and I didn’t know you were supposed to report to the FTC for a few weeks. Sadly even though I knew so little the police officer I spoke with told me I knew more than him! Learn from my mistakes and the research I’ve done since that time! Be sure to start a document on your computer or a written document where you can record everything you’ve done, case numbers, who you spoke to, and what you mailed when. This can come in handy if you run into trouble with getting a specific company to fix what’s wrong.
- Go down to your towns police department, or give them a call on the non-emergency number to make an appointment to go down and make a report. Bring copies of your credit report, and whatever it was that tipped you off about the theft (an error in a bill, a credit card denial, a bill for a loan you never took out, etc.). Give a full report and don’t leave without a case number. You’re going to need this for fixing your credit and making the report to the FTC.
- Go to identitytheft.gov to report the identity theft to the FTC. They’ll also give you some information on next steps to take. Save a copy of your report and print it out.
- Report the identity theft to the IRS at https://www.irs.gov/individuals/identity-protection. If your social security number is compromised the thief may try to get a refund using your data. How can you protect against this? Two ways – you’ll need to file form 14039, Identity Theft Affidavit. This provides you a PIN you can use to file your taxes next year. Also change your withholdings so you don’t get a refund, if you currently get money back. This way, if the thief does successfully file a return in your name, you’re not waiting 18 months to get your refund.
- If there’s something wrong on your credit reports, its time to contact the credit reporting companies. Fire up your computer and get ready to write letters, and grab the phone. Write a letter explaining the identity theft, what happened, what’s incorrect and what needs to be fixed. Print three copies of the letter, and a copy of your credit report with the incorrect information circled. After calling each company to make the report, mail them the letters. Typically, you get a better response by mailing in addition to calling. Write down (or start a document on your computer) with who you spoke to, when, what was discussed, and when you mailed the letter. You’re going to need this if they give you trouble about clearing the incorrect information. Be sure to follow up in 30 days if you don’t hear back, and follow up through mail and phone.
- Equifax Credit Information Services, Inc
- O. Box 740241
- Atlanta, GA 30374
- TransUnion Fraud Victim Assistance Department
- O. Box 6790
- Fullerton, CA 92834
- PO Box 9532
- Allen TX, 75013
- Now contact the company with the incorrect information. Because you’re not an actual customer this may be difficult and you may get the run around. Again, in addition to calling you’re going to want to mail them the letter and a copy of your credit reports. Look up the right phone numbers and addresses online. If you don’t hear anything in 30 days follow up via mail and phone.
3. Change and strengthen all passwords and login information to your cell phone, computer, and every website you visit (including your work!)
You don’t know where this theft occurred. It might have been a data breach outside of your control, or the thief might have stolen something online. No matter where it occurred, now’s the time to change every major logon/password combination. Add long passwords to your computer(s) and cell phone as well, and turn off the feature where your browsers or phone will “remember” your password information. You don’t want to give any additional openings to the thieves.
Strong passwords – let’s be honest here – we’re all told this advice and we all hate it. After all, it seems like every website nowadays is requiring us to create a user ID and password. Heck some sites require this just to view, which is a pain in the butt. That’s dozens or hundreds of sites, all with different standards, in addition to sites you might access at work. The information overload causes us to reuse the simplest passwords we can get away with over and over again on different platforms – or write them down somewhere. Both of these are a huge security risk
So how can you do this and not resort to reusing them or writing them down? I know there are sites out there that promise to manage your passwords for you – as outlined in this PC Magazine article, if you’re interested – but I don’t trust them. Sorry but I think it’s a security risk to have your passwords in one place online. If its hacked, then what do you do?
But then you’re back to the problem of either using something common, reusing passwords across different sites/systems, or writing things down. So how do you get around that? Here’s what I do:
- First I turned off all automatic password prefills on my computer and cell phone
- I evaluate what type of site it is and how secure I need my logon information to be
- For example, am I signing up to read a site or for a newsletter? A coupon or free sample? If it’s something where I haven’t given any personal information (or I’ve given fake data), and if someone logged in as me they wouldn’t cause any damage, I create a common user ID and password for these sites. These go with the junk e-mail above. If you’re a crappy site that doesn’t really need a logon, you get a crappy logon
- I think about whether I really need to access this account online, or if I can do it the old-fashioned way – 1980’s style – through the mail
- You may not need to create an ID and password if you don’t need to go online with the account. Think about this one – the mail can be more secure than online. Identity theft has increased rapidly thanks to the internet
- If I really need to access the account online, then I create a unique strong password
- The usual password guidelines apply – capital and lowercase letters, numbers, special characters, no dictionary words.
- 12 character minimum
- This article on how to create strong passwords and remember them is a great one
So now you have better passwords, but guess what a lot of sites will let you do to access your account if you “forget” your password or user ID? They’ll ask you answers to security questions, some of which can be found online. Or if you call without your account number, they’ll ask for your social security number. And guess what people will steal from you? Enough information to get past security questions, or they’ll have your SSN. So they can get into your account. That’s how my identity thief changed my cell phone plan and attempted to buy three new cell phones in my name.
So what options are available to you now that you have a strong password?
- Check your security questions and make sure they’re not bad ones. For example, questions about the town your high school or college was in, or what town you got married, or your mother’s maiden name, can be bad. A lot of that information can be found online by googling you.
- If you find a bad security question, change it to something only you would know that you haven’t posted online and can’t find through Google
- Check to see what other security options the company offers
- I use two-factor authentication on every site that offers it where I need security, getting a text or e-mail with a unique security code every time I log in. Yes, it’s a pain – but necessary
- Some financial institutions offer voice authentication. Take them up on this
- Other sites may let you create a PIN to use in addition to your logon and password
- Make sure your logon ID is secure as well, and don’t write down the information anywhere
- Make sure you’ve turned off logon ID and password prefill. Site has the option to “remember me?” Don’t take them up on it. If your phone or computer is stolen, or you logged in and forgot to lock it, guess what? The thief has the keys to all your data right on the internet browser.
- Remember that the more critical the data, the stronger you want your logon to be
4. Contact all your service providers (cell phone, cable company, internet) and have them put a fraud alert on your account. Ask if there’s anything else you can do to protect your account, like add a PIN
This is a tip that I learned the hard way – when my cell phone company contacted me to let me know that not only did someone with a fake driver’s license try to add three phones to my account, but they also changed my cell phone and data plan! Don’t wait for this to happen to you – call your major service providers today. Your cell phone company, cable company (if you have cable – I don’t, but you might), internet provider, home phone, utility company – call all of them after you’ve changed your logon/password information. Let them know that you’re an identity theft victim and ask that they flag your account for fraud. Also ask what kind of additional security they may have available for their account holders. Some companies will have a special PIN, two factor authentication, or other security measures that are optional. Take them up on everything they offer, and record the contacts in your identity theft document.
5. Contact all your financial companies (savings accounts, checking accounts, 401k, investments, etc.) and have them put a fraud alert on your account. Ask if there’s anything else you can do to protect your account, like add a PIN or voice authorization.
This is something I didn’t learn the hard way, but I don’t usually see on lists of “what to do” after an identity theft. It’s important though, especially if the thief has your social security number. Make a list of all the financial companies you do business with and call them all. Tell them you’re an identity theft victim and ask that they flag your account for potential fraud. Ask them about additional security measures, like a PIN or voice authorization, two-factor authentication, or confirming all changes in writing through the mail.
6. Protect your physical environment and your personal information (online and in person) to prevent additional or future theft
First, what exactly is your personal information? In the industry this is often referred to as IIPI, or Individually Identifiable Personal Information. You might think this is just about your social security number and credit cards, but it’s much broader than that. This category includes information that may be public – like your name and address – along with private information like your social security number, date of birth, and driver’s license number.
But what about other information? Have you ever filled out online where you went to high school? Posted about your anniversary or your kids birthdays? Does the world wish you a happy birthday on Facebook? What about those notes that prompt you to share things like “your favorite vacation spot”, “your nicknames”, “your first car”, or other “fun” information with your friends online? That’s all a way of getting your personal information. I’ve seen notes on Facebook that are essentially recaps of the security questions you get asked on websites.
So what can you do here?
- Privacy Settings – Check your privacy settings on social media, and make sure all posts are visible only to your friends
- Friends or Foes? – Go through your friend and follower list. If it’s a social platform where you want to post about your vacation and your kids birthday parties, be sure that you know everyone on the list well. Remove anyone who you don’t know well, or put them in a separate group where they won’t see your posts
- Protect your Birthday – Change your birthday so it’s visible to “Only Me”, and consider changing it from your real date of birth to a fake one.
- Go Anonymous – Change your name to use a nickname. Don’t post your maiden name or full last name online
- Share Privately, not Publicly – Consider using email or a secure photo site to share things privately with a smaller group of people rather than a large friend list
- Be stingy – with your information. Don’t give out your social security number or real date of birth to anyone unless it’s a financial institution, insurer, school, employer, tax preparer, or someone else that truly needs to know. The key word here is needs. If someone asks you for your social security number and they’re not one of those entities, don’t give it to them unless you know exactly what they’re using it for and you feel strongly it’s valid.
- Protect your Birthday Part 2 – Don’t give your actual date of birth to any website (sign up for this coupon! Logon to our site to see the best sales! Etc.). Pick a date that you’ll remember (I like to use January 1st) and use it when you sign up for things online and can’t get past the field. Sorry coupon site, you don’t need my date of birth except for research and marketing, and I don’t trust your security
- DON’T KEEP KEY IDENTIFIERS ON YOU. Social security card, birth certificate, and passports should never be with you or unlocked in your house except for the specific time you need them. I keep mine in a safe deposit box, but you can also keep them in a secure hidden safe.
- Don’t Quiz Me! – Don’t answer any quiz on Facebook or any other site. They’re personal data mines.
- Don’t Go Phishing – Don’t ever respond to what’s called “phishing” e-mails. Be suspicious of every email and never click on the links. Did you get an email from your bank that you have a message? Don’t click the link, go to your banks website. Is it a link you need to click on (like a registration confirmation)? Don’t left click it – right click it and copy/paste it into your internet browser. This shows you the URL, and you can make sure it’s legit. Also, if you weren’t expecting a registration confirmation from that company, don’t click it at all!
- Fake Email – Keep a trash e-mail account and use it for any site where you don’t need to get e-mails from them. This helps prevent scams and helps you know whether a request is legit
Now you’ve protected your personal data as best you can, you’ve locked up your credit, and you’ve improved your online security. It’s time to protect your home to prevent identity theft (and frankly ordinary theft).
Why go this extra step? Well if someone has stolen your data online, they have your name and address. If there’s data they’re missing, or they want to find out what companies you invest in, they simply need to rob your house (or get someone to do it for them) or intercept your mail. Think about all the documents you may have somewhere in your house. Your social security card, birth certificate, and/or passport. Tax returns. Financial statements. Credit card offers. Paperwork from when you bought your house, or your cars. Loan documents. You need to protect all of these from theft. Also, don’t forget about your physical computer(s). You can have the strongest logon and passwords in the world, but if your computer is hacked thieves can log your keystrokes, destroying the online security you’ve built.
This is a great time to think about your home like a business. At work, the computers are protected and locked to your desk. Documents are shredded once they no longer need to be kept. Important paperwork with personal information is locked up. There is security at the buildings. Your home is like your personal business, and your own security is just as important as security at work – so protect it!
To Buy/To Do:
- Shredder – to shred financial documents, credit card offers, old tax returns, and anything else that might have your personal information on it. Don’t just recycle these or throw them in the trash! Shred it or regret it.
- Locking file cabinet – To lock up any financial documents (statements, tax returns, etc.)
- Safe Deposit Box Rental – Put your birth certificates, social security cards, passports, and other documents you don’t want in your house here. Offsite secure document storage means that even if someone breaks into your house,
- Security Cameras – I got mine a warehouse club, but you can also get them on Amazon. These connect wirelessly to a central device, and are set off by motion. You get an alert on your cell phone when they sense motion. Fortunately, all mine have caught so far were baby bears in my front walkway while we were on vacation! But they were great peace of mind when away.
- Antivirus Protection – Make sure your computers have an up-to-date legitimate active anti-virus software
- Operating System Upgrades – Make sure you’re using the latest operating system on your computers, so hackers can’t exploit bugs. I have a colleague at work whose computer was hacked in addition to her internet, and she got a call from her hacker taunting her. Creepy!
- Secure Computer (optional) – This is a great tip that I personally love. I keep an old laptop that I use only for surfing the internet and printing coupons. My newer computer is used for anything financial or personal, and online shopping. You can pick up a Chromebook for not much money, or ask around for a friend that might be upgrading and willing to give you their old computer. You can use the old one for web surfing and going to any sites that might be sketchy.
- Motion Lights – Put these around your house. The lights will go off whenever they sense motion, deterring thieves from entering your home. These combined with the security cameras will deter a lot of would-be criminals. After all why try to break into your house when the unsecure one next door has nothing?
7. Don’t pay for credit monitoring – use a free monitoring service combined with a security freeze and annual credit checks
Now that your credit is frozen an identity thief can’t open new credit in your name. Be sure to check your credit reports again annually to make sure something new didn’t sneak on there – there are companies that will open lines of credit without running a check, or there could have been something outstanding that didn’t show up on the report when you first pulled it. But in addition to these, sign up for credit monitoring.
With so many data breaches you may have gotten an offer for free credit monitoring. If this is the case, just take them up on the offer. If not though, All Clear ID has a free basic credit monitoring service you can sign up for. Check out the link below and give it a go. They’ll email you every month with your information, and help keep your credit secure. In my case I was a data breach victim so I got credit monitoring for free.
What resources are available to learn more?
- Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Indentity Thieves by Adam Levin. Check it out on Amazon, or read my review here
- The FTC’s Identity Theft website, and their PDF on what to do if your identity’s been stolen
- IRS Identity Theft website – To learn more about tax identity theft
- Free Annual Credit Report – To get a report from all three credit beaurus for free every year. Make sure there’s no fraudulent activity on your account.
- Identity Theft and Your Social Security Number, from the social security administration
- Clark Howards Identity Theft Guide
What are key links I need?
- Experian Credit Freeze
- Transunion Credit Freeze
- Equifax Credit Freeze
- Chexsystems Security Freeze
- LexisNexis Security Freeze
- The FTC’s Identity Theft website – To make a report with the FTC, and obtain a recovery plan
- IRS Form 14039 – Identity Theft Affidavit
- SSA Fraud Hotline:800-269-0271
- All Clear ID – Free credit monitoring for their Basic model
Do you have an identity theft story? Let me know in the comments!
Be sure to follow my blog for more great posts via e-mail or WordPress, or connect with me on Facebook or Twitter and say hello! You can also check out what I’m buying or baking on Instagram, what I’m pinning on Pinterest, or the latest books I’m reading (or want to read) over on Goodreads.
4 thoughts on “Seven Steps to Take if Your Identity’s Been Stolen”
Wow, very in depth. Sounds like you learned a lot from the experience! For identity theft insurance, I use Zander ID Theft (https://www.zanderins.com/idtheft2) and have had it for 2 years so far. I took the advice from Dave Ramsey and get my family of 4 covered for $145 a year. The nice thing about this option is that it includes a counselor to clean up the mess for you. You don’t want to be the one stuck doing all the work when you don’t have to. Thanks for the great report!
I remember hearing that ad on his show before. It’s definitely a pain, even when the theft is unsuccessful like mine.
Nice thorough article CMO! Thanks for providing the links as well.
Luckily we haven’t had any issues (yet). We are pretty good about creating strong passwords on our important sites and change them periodically. I certainly avoid any email that looks to be phishing.
Due to a data breach at the University of Maryland when my son went there for a summer camp, we get free credit monitoring from FamilySecure. I guess it’s doing its job.
Excellent! I found that identity theft will hit you by surprise, so it’s great you have the monitoring set up