1. Stop account access
Tell your bank or card provider if money moved or account access looks wrong. Change passwords starting with email, then banking and shopping accounts.
Identity theft is frightening because the damage can appear later. The job is to close access, watch the credit file, preserve evidence and create a clear complaint trail.
Tell your bank or card provider if money moved or account access looks wrong. Change passwords starting with email, then banking and shopping accounts.
If you installed software or opened a suspicious link, run antivirus and follow NCSC guidance. Use two-step verification where available.
Look for searches, accounts, credit applications or addresses you do not recognise. Keep screenshots and dates.
Cifas Protective Registration can prompt extra checks when your details are used to apply for products. It can slow genuine applications, so read the rules first.
Record the date you noticed the problem, who you contacted, reference numbers, account names, screenshots, letters, rejected applications and any further suspicious messages. That diary helps if a bank, lender or ombudsman later asks what happened.
Identity theft has two phases: stop new damage, then repair the existing damage. Phase one is urgent and often skipped. Secure your email and bank logins first — change reused passwords and enable two-factor authentication — because email access lets a fraudster reset everything else. Contact your bank's fraud team using official details and ask for markers on your accounts. Then place a Cifas Protective Registration, which flags your name so lenders apply extra verification, and check your file with all three credit reference agencies — Experian, Equifax and TransUnion — since fraud may appear on one but not another.
Only once new applications are blocked does it make sense to work through the repair sequence and the fraud diary above. Doing it in the other order means you are cleaning up a leak while the tap is still running.
Honestly, weeks to many months, depending on how many accounts were touched and how fast you reported. Fraudulent accounts and credit-file markers can usually be removed once each lender investigates, but each one is a separate case with its own timeline. The single biggest lever on that timeline is speed of detection, which is why a Cifas registration and regular free credit-report checks are worth keeping in place long after the immediate incident.
Speed matters more than anything else with identity theft, because the longer a fraudster has your details, the more accounts they can open. If you discover or strongly suspect your identity has been stolen, work through this sequence — adjust the order only if money is actively leaving an account, in which case the bank comes first.
The earlier you notice, the less damage is done, so it pays to know the warning signs. Be alert to: post that stops arriving (a fraudster may have redirected your mail); statements or bills for accounts you never opened; being turned down for credit unexpectedly when you have a good history; calls from debt collectors about debts that are not yours; or texts and emails confirming applications you did not make. Any one of these is worth checking your credit report over.
Prevention is mostly a set of habits rather than a single product. Use a different, strong password for every important account and store them in a password manager; turn on 2FA everywhere it is offered; shred documents that show your name, address, account numbers or date of birth; and be sceptical of unsolicited messages asking you to "verify" details or click a link, which is how phishing harvests the information used for fraud. Checking your statutory credit reports a few times a year — free from all three agencies — is one of the cheapest early-warning systems available. Keeping a Cifas registration in place after an incident extends that protection.
Two situations are worth separating. Account-takeover fraud is where someone gains access to your existing account and makes payments you did not authorise — these are "unauthorised" transactions, and under the Payment Services Regulations your bank must normally refund them promptly unless it can show you acted fraudulently or with gross negligence. Report it as soon as you notice, and the refund is usually straightforward.
Authorised push payment (APP) fraud is different and harder: it is where you are tricked into authorising a payment yourself — for example a scammer posing as your bank, a builder, or a "safe account". Because you made the payment, the rules differ, but UK reimbursement rules now require banks and payment firms to reimburse most victims of APP scams made by bank transfer, with limited exceptions. The practical advice is the same in both cases: report to your bank immediately (every hour counts, because banks can sometimes recall a transfer before it is withdrawn), get a crime reference number from Action Fraud, and keep a written fraud diary of dates, names, reference numbers and outcomes. If the bank declines to reimburse and you disagree, you can escalate the complaint for free to the Financial Ombudsman Service. A clear, dated record is your strongest tool throughout.
Every page is reviewed against the editorial standards, written from primary sources, sourced openly, and corrected publicly. No affiliate revenue. No sponsored content. No paid placements.