Identity Theft Recovery

TL;DR

• Identity theft is when someone uses your personal details — name, date of birth, ID document, address, tax number — to open accounts, take loans, file claims, or commit crimes as if they were you.
• It is different from a hacked account. With a hacked account, you take it back. With identity theft, you have to prove to many organisations, one by one, that you are still you.
• The first week is the most important. Freeze credit, document everything, file a police report you can show to banks and to credit bureaus, and tell the institutions where your identity has been used.
• Most of the recovery is administrative, not technical. It is paperwork, phone calls, and patience — not "hacking back."
• This will take months. Plan for that emotionally. Keep a single file (paper or digital) with every letter, email, and reference number — it becomes your evidence and your sanity.

What it is

Identity theft means someone is using your personal data to be you in front of organisations that don't yet know it isn't you. Common forms:

• New-account fraud. Bank accounts, credit cards, phone contracts, online shopping accounts, sometimes loans — opened in your name, often at a different address.
• Tax and benefits fraud. A fake tax return filed in your name claiming a refund, or unemployment / social benefits claimed in your name.
• Medical identity theft (more common in the US, growing elsewhere). Someone uses your ID to receive medical care, leaving you with the bills and a contaminated medical record.
• Document fraud. Your passport or ID-card data used to forge documents for others. Sometimes used in trafficking and organised crime.
• Criminal impersonation. Someone arrested gives the police your name. The criminal record attaches to you until you prove it.
• Synthetic identity. A fake person built from your real details mixed with invented ones — often used to slowly build a fake credit history and then disappear with large loans.

The thieves are rarely the people who originally collected the data. Personal data is sold and resold across underground marketplaces. The person opening a credit card in your name in another city may have bought your details two years after a breach you never heard about.

How you find out

Often you don't, for months. The most common discovery points:

• A debt-collection letter for a debt you never took on.
• A rejected credit application — because there is already a credit record in your name that you didn't create.
• A bank or shop calling about an order that wasn't yours.
• A tax authority sending a letter about a refund you didn't request.
• A new account showing on your credit report.
• A package addressed to you arriving at someone else's address.
• A police officer at your door, asking about an offence you did not commit.

Any one of these is enough to begin. Don't wait for a second sign.

What to do — the first 72 hours

Work through this in order. Slow down — speed matters less here than thoroughness. Identity theft recovery is a paperwork war, and you need a clean paper trail from the very first call.

1. Start a recovery file. A folder, a notebook, a single digital document. Date, time, organisation, person you spoke with, what they said, any reference number they gave you. Every conversation. From the first call onward. This file is your evidence, your sanity, and your proof to other organisations that you are taking the right steps.
2. File a police report. Even if the police cannot recover anything for you. The report (and its reference number) is what banks, credit bureaus, tax authorities, and platforms will ask you for over the next months. In most countries you can file online or by going to a local station. Bring your ID and a written summary of what has happened.
3. Contact the credit bureaus in your country and place a fraud alert or credit freeze on your file. A freeze prevents new accounts being opened in your name without your direct consent. It is the single most powerful action available to you. (In Switzerland, contact ZEK and CRIF. In Germany, SCHUFA. In Austria, KSV1870. In the UK, Experian, Equifax, TransUnion. In the US, the three same plus Innovis. In France, Banque de France's FCC. In Italy, CRIF. In Spain, ASNEF. In Portugal, Banco de Portugal's CRC. In Brazil, Serasa.)
4. Notify your bank, your credit-card issuer, and any payment apps. Even if no money has moved yet. Ask the fraud team to flag your accounts for higher-risk monitoring. If unfamiliar transactions exist, dispute them in writing — keep copies.
5. Notify your phone carrier, and ask them to add an account PIN or port-out protection so an attacker cannot transfer your number to a different SIM.
6. Notify your tax authority and your country's social security / health insurance administrator, especially if you suspect benefits or tax fraud.
7. Notify any specific organisation where you know your identity has been used. Send a written letter (email is fine if they offer it) with your name, ID, the police report number, and the specific account or transaction in question. Keep a copy of every letter you send.

What to do — the next two weeks

• Pull your full credit report from each bureau in your country and read it carefully. Every line. Mark anything you don't recognise.
• Dispute every fraudulent entry in writing, with the police report number attached. Each bureau has a specific dispute process; follow it exactly.
• Change passwords on every important account — start with email and bank, then move outward. Use unique passwords. Turn on two-factor authentication wherever possible.
• Replace your ID document if you believe a physical document was used — passport, ID card, driver's licence. Most countries have a fast-track replacement when an identity theft police report is on file.
• Notify employer HR if your tax number was used or if a fake tax document might appear in your file.
• Tell close family. Identity thieves who got your details often have details of your relatives too — siblings, parents, children. Warn them so they can watch their own credit and post.

What to do — the next six months

• Watch every bank statement and credit report monthly. New entries can appear long after the original theft.
• Keep written records of every dispute and outcome. If a dispute is rejected and you believe the entry is fraudulent, escalate to the national ombudsman (financial services ombudsman, data-protection authority, or telecom regulator depending on the entry type).
• Be patient with stuck cases. Some entries take months to remove. Persist. The bureau is required by law in most countries to investigate and respond within a defined window — keep track of the dates and remind them when the window closes.
• Watch your tax filing. When you file the year's taxes, do it early — earlier than the fraudster might attempt a duplicate filing.

What NOT to do

• Don't pay debts that aren't yours just to make them go away. Once you pay, the debt is far harder to dispute. Dispute first, in writing, with the police report attached.
• Don't sign anything an unfamiliar collector sends you. Some debt-collection notices for fraudulent debts are themselves attempts to trick you into acknowledging the debt.
• Don't speak to debt collectors over the phone without taking notes and asking for everything in writing. Verbal conversations leave you with no record.
• Don't trust services that promise to "delete you from the internet" or "remove all your data" for a fee. Some are legitimate but limited; many are themselves data collectors. Read independent reviews before paying anyone.
• Don't give up on a small fraudulent entry. Small unpaid items become bigger problems years later when they appear on a credit report during a mortgage application.
• Don't blame yourself. The original data leak was almost certainly not your fault — it was a company you trusted that lost control of your data.

Use AI to help you

Identity theft recovery is full of letters, summaries, and chronologies that AI can help you draft. Don't paste your full ID number into a public AI — but the shape of a dispute letter, or a sorted timeline of what happened, is exactly where an AI saves hours.

Drafting a dispute letter:

"I am a victim of identity theft. Someone opened [type of account] with [name of organisation] using my personal details, on or around [date]. I have already filed a police report — reference [number]. Please draft a formal dispute letter to [organisation] in [language], requesting that they (a) close the fraudulent account, (b) remove it from any credit reporting, (c) confirm in writing what evidence they have on file, and (d) confirm the steps they will take. Keep the tone firm and factual, not emotional."

Building a recovery timeline:

"Please help me build a clean chronological summary of my identity-theft case so far, for use when I contact additional banks and credit bureaus. Below is the sequence of events as I remember them, with dates where I have them. Organise it as a numbered timeline and flag any gaps where I should look for missing information. [paste your notes]"

A reminder: AI is excellent at drafting, summarising, and helping you keep track. It cannot — and must not — replace official documents or speak to authorities on your behalf. Use it to prepare; act yourself.

Who to call

The order: police report, credit bureaus, specific organisations where your identity has been used, tax / social-security authorities.

Find the latest contacts for your country with AI:

"I'm in [your country]. List the official bodies I need to contact for identity-theft recovery — the credit bureaus (so I can freeze my credit), the police service for filing a fraud report, the tax authority (in case of tax-identity fraud), the social-security or health-insurance administration, the financial ombudsman, and any non-profit victim-support service. For each, give the official website, public phone number, and (where applicable) the specific online portal for self-disclosure or freeze requests. Tell me the order to contact them in for the first 72 hours, and any country-specific deadlines I should know. Cite the official source page for each. Flag anything that might be outdated."

A short curated list, grouped by language (for the very latest, prefer the AI prompt above):

• English:
  • UK — Action Fraud (actionfraud.police.uk); CIFAS for protective registration.
  • US — IdentityTheft.gov (FTC); Social Security Administration; the three bureaus (Equifax, Experian, TransUnion).
  • Canada — Canadian Anti-Fraud Centre; Equifax Canada and TransUnion Canada.
  • Australia — IDCARE (free victim support); ReportCyber; the bureaus illion, Equifax, Experian.
• German:
  • Germany — SCHUFA online portal for credit blocks; BSI für Bürger; local Polizei.
  • Austria — KSV1870; Watchlist Internet.
  • Switzerland — ZEK and CRIF (free annual self-disclosure); cantonal police.
• French:
  • France — Cybermalveillance.gouv.fr; Banque de France FCC (file central des chèques) — register opposition.
  • Belgium — Safeonweb.be; Banque-Carrefour.
  • Switzerland (FR) — ZEK, CRIF.
• Italian:
  • Italy — CRIF; Polizia Postale.
  • Switzerland (IT) — ZEK, CRIF.
• Spanish:
  • Spain — ASNEF (Banco de España) and INCIBE (017).
  • Mexico — Buró de Crédito; Condusef.
• Portuguese:
  • Portugal — Banco de Portugal CRC; CNCS.
  • Brazil — Serasa, SPC, Boa Vista; Procon.

If your country isn't listed, search for "[your country] credit bureau identity theft" and "[your country] police identity theft report online."

When to escalate beyond chat

• Someone has been arrested or charged in your name — go to a lawyer immediately. Bring the recovery file. This is a criminal-impersonation matter and needs legal representation, not a phone call.
• Significant debts are accumulating in your name — talk to a non-profit debt counsellor in your country. They can negotiate with collectors on your behalf and have experience with identity-theft cases.
• Mortgage, tenancy, or employment is at risk because of fraudulent entries on your record — bring the police report and the recovery file to the institution in person if you can; in-person beats letters when something time-sensitive is at stake.
• Threats or extortion have started — "pay us and we won't keep using your identity" — do not pay. Report to police as a separate criminal matter, on top of the identity-theft case.
• You are in distress — identity theft recovery is exhausting and shaming. National victim-support organisations exist precisely for this; in Switzerland, opferhilfe-schweiz.ch; in the UK, Victim Support; in the US, IDCARE (free, international); in Germany, Weisser Ring.

Related topics

• "I've Been Hacked" — recovering account access; often the first step of an identity-theft case.
• "Your Data Was Leaked" — where the original information may have come from.
• Phishing & Scam Emails — one of the most common original collection methods.
• Romance & Crypto Fraud — long-form social engineering that often ends in identity theft.

Sources & references (internal — not rendered to the live page):

• EU GDPR — data subject rights and the right to rectification
• US FTC — IdentityTheft.gov recovery workflow
• UK CIFAS — protective registration scheme
• ENISA — annual Threat Landscape on identity-related fraud
• Council of Europe — Convention 108 on automated data