What Is Identity Theft and How to Recover From It
Identity theft is when someone uses your personal information without your permission to commit fraud, open accounts, get medical care, file taxes, or otherwise impersonate you for their benefit. The personal information varies: Social Security number, date of birth, name plus address, account credentials, medical insurance numbers, anything that lets the impersonator pass as you in some specific context.
The damage varies just as much. Some victims lose hundreds of dollars in fraudulent charges that the bank reverses within days. Others spend years untangling fake accounts, rejected loan applications, and tax returns filed in their name.
That's the short version. The longer version requires understanding how identity theft actually happens, what the warning signs look like, and what the recovery process involves. I've spent two decades watching companies treat identity theft as a customer service problem when it's actually a structural failure of how identity is verified. The structure isn't going to change soon. The personal defense is what you have.
The two ways identity theft happens
Identity theft starts with the thief obtaining your information. The pathways fall into two categories.
The first is data breaches. Your information was stored by some company (a bank, a healthcare provider, a former employer, a credit bureau, a government agency), the company was breached, and now your information is on the market. This is the most common pathway in 2026, by orders of magnitude.
The second is social engineering or direct theft. Phishing emails that capture credentials. Phone calls that trick you into providing identifiers. Mail theft that captures pre approved credit offers. Skimmers on ATMs that copy card data. Family members or roommates with access to your documents.
The trend is toward breaches. For most adults, your sensitive information is already available to someone willing to pay for it. The protective question isn't "how do I prevent my data from being stolen" anymore. It's "how do I prevent the thief from using my data successfully."
The main types of identity theft
Financial identity theft is the classic version. The thief uses your information to open credit cards, take out loans, or make fraudulent transactions on your existing accounts.
New account fraud is a subcategory of financial identity theft. The thief opens accounts in your name. They show up on your credit report or in collection notices when the thief stops paying.
Medical identity theft is when someone uses your insurance or medical information to obtain treatment, prescriptions, or medical equipment in your name. The damage includes unfamiliar bills, denied claims, and corrupted medical records.
Tax identity theft is when someone files a tax return using your name and Social Security number to claim a refund. You discover the theft when you try to file your real return and the IRS rejects it.
Government benefits fraud is when someone uses your information to claim unemployment benefits, Social Security, or other government payments. This category expanded significantly during the pandemic.
Criminal identity theft is when someone gives your information to law enforcement during an arrest. You find out when there's a warrant in your name or your background check shows convictions you didn't commit.
Synthetic identity theft is the newer variant where the thief combines real information (often a real Social Security number, sometimes belonging to a child) with fabricated names and addresses. The synthetic identity is then used to open accounts and build credit history before being abandoned.
How identity theft gets discovered
Most identity theft is discovered indirectly, through symptoms rather than alerts.
You apply for credit and get rejected unexpectedly. You check your credit report and find accounts you don't recognize.
You receive a bill or collection notice for an account you didn't open.
You file your tax return and the IRS rejects it because someone else already filed using your information.
You receive medical bills for treatments you didn't have.
You receive a notice about unemployment benefits you didn't apply for.
A bank or credit card company contacts you about suspicious activity.
The FTC reports identity theft as one of the highest volume consumer complaints they handle, with more than a million reports per year.
What to do the moment you suspect identity theft
The first step is to contact the company where the fraudulent activity is happening. Use a phone number from your card or your statement, not from any communication that might have led you to discover the theft.
The second step is to place a fraud alert with one of the three credit bureaus. The bureau you contact is required to notify the other two. Better than a fraud alert is a credit freeze, which prevents new accounts from being opened entirely. Place freezes with all three bureaus separately.
The third step is to file an identity theft report with the FTC at IdentityTheft.gov. The site walks you through the process and generates an Identity Theft Report you can use to dispute fraudulent activity.
The fourth step is to file a police report if there's evidence of crime against you specifically. Some companies require a police report before they'll fully resolve fraud disputes.
The fifth step is documentation. Save everything. Notification emails, phone call records, bills, statements, IRS letters. Keep a log with dates and reference numbers.
These five steps can be done within a day or two. Doing them quickly limits the thief's window of opportunity.
The longer recovery process
Disputing fraudulent accounts on your credit report is done with each bureau separately. Submit the Identity Theft Report and explain which accounts are fraudulent. The bureaus have 30 days to investigate and respond.
Closing fraudulent accounts requires contacting each creditor directly. The process can take weeks per account.
Disputing fraudulent charges on your real accounts has shorter windows. Federal law gives you 60 days for credit cards. File disputes promptly.
Resolving tax related identity theft requires filing IRS Form 14039 (Identity Theft Affidavit). After resolution, the IRS issues you an Identity Protection PIN that you use on future returns.
Fixing medical records is harder. You contact each provider where fraudulent treatment occurred and request the records, then dispute the inaccuracies.
Through all of this, document everything and keep monitoring.
Credit freezes and protection in detail
A credit freeze is the single most effective protective measure for most identity theft scenarios.
When your credit is frozen, the bureaus block access to your credit report. Lenders pulling your report for new credit applications get a denial. They typically refuse to open the account without verification you provide directly.
The freeze is free under federal law. You can place freezes with each of the three bureaus separately:
The freeze stays in place until you lift it. Lifting takes a few minutes online.
Beyond the freeze:
The IRS Identity Protection PIN program lets you opt into using a six digit PIN on your tax returns. Anyone filing a return with your SSN must include the PIN. Sign up at IRS.gov.
Reviewing your annual free credit reports from each bureau through AnnualCreditReport.com catches anything you missed.
For Social Security related fraud, the SSA's my Social Security service lets you monitor your earnings record and Social Security benefits status.
Children and elderly relatives
Children are targeted because they have clean credit histories and the fraud often goes undetected for years. Synthetic identity theft frequently uses children's SSNs. Most parents don't think to check their child's credit. Place credit freezes on your child's credit through each of the three bureaus.
Elderly relatives are targeted because they often have established credit, retirement savings, and social isolation that makes social engineering easier. If you have elderly relatives, talk about identity theft with them. Help them set up credit freezes if they're not actively applying for credit.
What you can do before identity theft happens
Place credit freezes proactively. They're free and protect against the most common scenario.
Sign up for the IRS Identity Protection PIN program before tax season.
Use unique passwords for every account, generated and stored in a password manager.
Enable 2FA on financial and government accounts.
Limit the personal information you share. Birth dates, addresses, phone numbers. Don't enter them when they're optional.
Shred documents that contain personal information before throwing them away.
Check your credit reports periodically.
A quick analogy
Identity theft is like having someone steal a copy of your house key. The key works in the lock. The lock doesn't know that the person at the door isn't you.
You can't change your name, your date of birth, or your Social Security number any more easily than you can change your house's foundation. The identifiers are fixed. What you can change is whether the keys to your various accounts work.
Credit freezes are deadbolts. Even with a copy of the key, the deadbolt blocks entry.
2FA on accounts is the alarm system. Even if the thief gets past the lock, the alarm triggers and you find out.
Credit monitoring is the camera. You can't always prevent break ins but you can see them happening.
The Identity Theft Report from the FTC is the police report. It establishes that you're the actual victim and gives you legal standing to dispute the thief's actions.
Frequently asked questions
Can I change my Social Security number?
In rare cases, yes. The Social Security Administration will issue a new number if you can document significant ongoing harm. For most identity theft cases, getting a new SSN is more disruptive than dealing with the existing fraud.
Should I pay for identity protection services?
The free options cover most of what paid services do. Credit freezes are free. The FTC's recovery process at IdentityTheft.gov is free. Paid services add features like dark web monitoring and concierge restoration help.
What if my identity is stolen and I don't catch it for years?
Recovery is harder when the theft has been ongoing, but still possible. The Identity Theft Report process at IdentityTheft.gov works regardless of when the theft started.
Are children targeted for identity theft?
Yes, increasingly. Children's Social Security numbers are valuable for synthetic identity theft. The defensive recommendation is to place credit freezes on your children's credit through each of the three bureaus.
Can I sue the company whose breach exposed my data?
Class action lawsuits follow large breaches. Settlements are typically small per individual but can be meaningful if you file a claim.
Does identity theft affect my credit score directly?
Yes, especially when fraudulent accounts go unpaid and end up in collections. After the theft is documented and the fraudulent accounts are removed, your score recovers.
How do I freeze credit for someone with a power of attorney?
The bureaus require documentation of your authority, which varies by bureau. The process is more cumbersome than freezing your own credit but the protection is the same once in place.
What to do next
If you don't have credit freezes with the three bureaus, place them this week.
If you haven't signed up for the IRS Identity Protection PIN program, do it before tax season.
If you don't have a password manager and unique passwords across accounts, fix that.
If you have elderly relatives or children, consider their identity protection separately.
If you suspect you're already a victim, file an identity theft report at IdentityTheft.gov and work through the recovery checklist it generates.
The data is already out there for most adults. The protective work is to make sure the data can't be used effectively against you.