Identity Theft: The First 48 Hours Are Critical — Here's What to Do
1 in 3 Americans will experience identity theft. The first 48 hours determine how much damage occurs. Follow this step-by-step recovery plan.
The Wallet Wisdom Team
Editorial Team
Maybe it was a charge you didn't make, a collection call about an account you never opened, a tax return rejected because "you" already filed, or a letter about a data breach. However you found out, the clock is now running. Identity thieves work fast — new accounts get opened, addresses get changed, and balances get drained in days, not months. What you do in the first 48 hours determines whether this is an annoying week or a two-year cleanup.
Here's the sequence, in order. Don't skip steps and don't reorder them.
Hour one: contain the account that's actively bleeding
Call the fraud department of whichever company is involved — the credit card with the bogus charge, the bank with the withdrawal, the lender with the account you never opened. Tell them the account or transaction is fraudulent, ask them to close or freeze it, and ask for written confirmation. Change the password and PIN on that account and any account sharing the same login.
Know your liability rules, because they shape urgency. Fraudulent credit card charges are capped at $50 by federal law, and virtually every issuer waives even that. Debit cards are worse: report within 2 business days and your loss is capped at $50; wait up to 60 days and the cap jumps to $500; wait longer and you can be liable for everything. This asymmetry is why fraud on a debit card is a genuine emergency and why day-to-day spending is safer on a credit card.
Hours two and three: fraud alert, then the FTC report
Call any one of the three credit bureaus — Equifax, Experian, or TransUnion — and place a free fraud alert. The one you call must notify the other two. The alert lasts one year, renews easily, and tells lenders to take extra steps to verify identity before opening credit in your name.
Then go to IdentityTheft.gov, the FTC's official identity theft site, and file a report. This isn't bureaucratic box-checking — the site generates an FTC Identity Theft Report and a personalized recovery plan, and that report is the key document for almost everything downstream: it substitutes for a police report with most creditors, forces credit bureaus to block fraudulent information from your file, and gives you dispute-letter templates that cite the right laws. Twenty minutes, free, and it makes every later step easier.
File an actual police report too if you know the thief, if the theft involved physical documents, or if any creditor or insurer demands one. Bring your FTC report, a government ID, proof of address, and any evidence. Local police may not investigate, but the report number matters for paperwork.
Day one: freeze your credit at all three bureaus
A fraud alert asks lenders to be careful. A credit freeze makes it structurally impossible to open new credit in your name, because lenders can't pull your file at all. Freezes are free by federal law, don't affect your credit score, and can be lifted temporarily online in minutes whenever you legitimately need credit.
You must place the freeze separately with each bureau — Equifax, Experian, and TransUnion each have their own process, online or by phone. Save the PINs or account logins they give you somewhere secure; you'll need them to thaw. Honestly, a freeze is worth having even if you've never been a victim. It's the single most effective consumer defense that exists, and it costs nothing.
While you're at it, pull your actual credit reports at AnnualCreditReport.com — the only federally authorized free source, available weekly from all three bureaus. Go line by line: accounts you don't recognize, hard inquiries you didn't authorize, addresses you've never lived at. Each one is a lead on what the thief has done and a dispute you'll need to file.
Day two: lock down the rest of your identity
- Change passwords on email first, then financial accounts, then everything else. Your email is the master key — anyone who controls it can reset the rest. Use unique passwords (a password manager makes this survivable) and turn on two-factor authentication, app-based rather than text-message where offered.
- Get an IRS Identity Protection PIN at irs.gov/ippin. This six-digit PIN prevents anyone from filing a tax return in your name. If a fraudulent return was already filed, you'll also submit IRS Form 14039, the identity theft affidavit.
- Check your bank accounts' contact info and linked devices. Thieves often change the address, email, or phone on an account so you stop receiving alerts. Verify and re-secure.
- If bank accounts were opened in your name, request your ChexSystems report (chexsystems.com) — it's the banking equivalent of a credit report — and dispute the fraudulent accounts there too.
- If your mail was involved — stolen mail, a change of address you didn't file — report it to the U.S. Postal Inspection Service and check whether a forwarding order exists on your address. Consider USPS Informed Delivery so you see what's supposed to arrive.
- If your Social Security number is being used for employment, create an account at ssa.gov and review your earnings record for wages you didn't earn.
The weeks after: disputing what the thief left behind
For every fraudulent account, send the creditor a dispute letter with a copy of your FTC Identity Theft Report, and send the credit bureaus a request to block the fraudulent information — under the Fair Credit Reporting Act, they must block items resulting from identity theft, typically within four business days of a complete request. Keep copies of everything, send disputes in writing (certified mail for the stubborn ones), and keep a log with dates and names. Collections agencies chasing fraudulent debt must stop once you provide the report and dispute; if they don't, that's a complaint to the CFPB at consumerfinance.gov, which gets remarkably fast responses from companies.
Expect stragglers. A fraudulent account can surface months later, which is why the freeze stays on and why you keep checking reports — free, weekly, at AnnualCreditReport.com. Most cleanups take a few weeks of paperwork; the bad ones take longer, but the process above works. It's tedious, not hopeless.
Should you pay for identity theft protection?
Mostly, no. The $10–$30 monthly services sell monitoring and alerts — things you can do free with a credit freeze, bank transaction alerts, and periodic report checks. They cannot prevent identity theft; they tell you about it afterward, which the freeze largely prevents anyway. If your data was in a breach, the breached company often provides free monitoring for a year or two — take the free version, skip the paid one. The insurance component sounds impressive but mostly reimburses incidental costs, not stolen money, which banks and card issuers already cover under the liability rules above.
The unglamorous truth is that the free tools are the strong ones: freeze at all three bureaus, unique passwords with two-factor, an IRS IP PIN, and a monthly glance at your statements. Set those up once and you're better protected than most paying customers.


