Skip to main content
Identity theft

Identity theft response plan

Identity theft is frightening because the damage can appear later. The job is to close access, watch the credit file, preserve evidence and create a clear complaint trail.

Bank firstIf money moved
Email firstIf passwords leaked
Credit fileWatch applications
CifasProtective Registration route
Action plan

Work through the sequence

1. Stop account access

Tell your bank or card provider if money moved or account access looks wrong. Change passwords starting with email, then banking and shopping accounts.

2. Secure devices and email

If you installed software or opened a suspicious link, run antivirus and follow NCSC guidance. Use two-step verification where available.

3. Check credit reports

Look for searches, accounts, credit applications or addresses you do not recognise. Keep screenshots and dates.

4. Consider fraud markers

Cifas Protective Registration can prompt extra checks when your details are used to apply for products. It can slow genuine applications, so read the rules first.

Evidence

Keep a simple fraud diary

Record the date you noticed the problem, who you contacted, reference numbers, account names, screenshots, letters, rejected applications and any further suspicious messages. That diary helps if a bank, lender or ombudsman later asks what happened.

Lock down

Lock down before you clean up

Identity theft has two phases: stop new damage, then repair the existing damage. Phase one is urgent and often skipped. Secure your email and bank logins first — change reused passwords and enable two-factor authentication — because email access lets a fraudster reset everything else. Contact your bank's fraud team using official details and ask for markers on your accounts. Then place a Cifas Protective Registration, which flags your name so lenders apply extra verification, and check your file with all three credit reference agencies — Experian, Equifax and TransUnion — since fraud may appear on one but not another.

Only once new applications are blocked does it make sense to work through the repair sequence and the fraud diary above. Doing it in the other order means you are cleaning up a leak while the tap is still running.

FAQ

How long does identity theft take to resolve?

Honestly, weeks to many months, depending on how many accounts were touched and how fast you reported. Fraudulent accounts and credit-file markers can usually be removed once each lender investigates, but each one is a separate case with its own timeline. The single biggest lever on that timeline is speed of detection, which is why a Cifas registration and regular free credit-report checks are worth keeping in place long after the immediate incident.

Sources
First 24 hours

The immediate steps, in order

Speed matters more than anything else with identity theft, because the longer a fraudster has your details, the more accounts they can open. If you discover or strongly suspect your identity has been stolen, work through this sequence — adjust the order only if money is actively leaving an account, in which case the bank comes first.

  1. Contact your bank and card providers. Ask them to freeze affected cards, block online banking and open a fraud case. Phone the number on the back of your card or your bank's official app — never a number from a text or email. If you are unsure a caller really is your bank, hang up and dial 159, the secure Stop Scams UK line that connects you straight to your bank's fraud team.
  2. Change your passwords, starting with email. Email is the master key: whoever controls it can reset everything else. Use a strong, unique password for each account and turn on two-factor authentication (2FA), ideally via an authenticator app rather than SMS, which can be intercepted by SIM-swap fraud.
  3. Report it to Action Fraud (the UK's national fraud reporting centre) on 0300 123 2040 or online; in Scotland report to Police Scotland on 101. You will be given a crime reference number, which banks and credit agencies often ask for.
  4. Place a Cifas Protective Registration against your name. This flags your details so that lenders carry out extra identity checks before approving any new credit — a strong deterrent against further misuse. It can slow your own genuine applications, which is the trade-off.
  5. Check your credit report with all three agencies — Experian, Equifax and TransUnion. Fraud can show on one but not the others, so checking only one is not enough. Look for accounts, searches or addresses you do not recognise, and report anything unfamiliar to the agency and the lender involved.
  6. Contact every organisation affected — not just banks, but mobile providers, HMRC, the DVLA or any account where your details may have been used to impersonate you.
Spot it early

Spotting it early, and reducing the risk

The earlier you notice, the less damage is done, so it pays to know the warning signs. Be alert to: post that stops arriving (a fraudster may have redirected your mail); statements or bills for accounts you never opened; being turned down for credit unexpectedly when you have a good history; calls from debt collectors about debts that are not yours; or texts and emails confirming applications you did not make. Any one of these is worth checking your credit report over.

Prevention is mostly a set of habits rather than a single product. Use a different, strong password for every important account and store them in a password manager; turn on 2FA everywhere it is offered; shred documents that show your name, address, account numbers or date of birth; and be sceptical of unsolicited messages asking you to "verify" details or click a link, which is how phishing harvests the information used for fraud. Checking your statutory credit reports a few times a year — free from all three agencies — is one of the cheapest early-warning systems available. Keeping a Cifas registration in place after an incident extends that protection.

Getting money back

Recovering from APP and account-takeover fraud

Two situations are worth separating. Account-takeover fraud is where someone gains access to your existing account and makes payments you did not authorise — these are "unauthorised" transactions, and under the Payment Services Regulations your bank must normally refund them promptly unless it can show you acted fraudulently or with gross negligence. Report it as soon as you notice, and the refund is usually straightforward.

Authorised push payment (APP) fraud is different and harder: it is where you are tricked into authorising a payment yourself — for example a scammer posing as your bank, a builder, or a "safe account". Because you made the payment, the rules differ, but UK reimbursement rules now require banks and payment firms to reimburse most victims of APP scams made by bank transfer, with limited exceptions. The practical advice is the same in both cases: report to your bank immediately (every hour counts, because banks can sometimes recall a transfer before it is withdrawn), get a crime reference number from Action Fraud, and keep a written fraud diary of dates, names, reference numbers and outcomes. If the bank declines to reimburse and you disagree, you can escalate the complaint for free to the Financial Ombudsman Service. A clear, dated record is your strongest tool throughout.

Editorial accountability
Open Trust Centre →

Every page is reviewed against the editorial standards, written from primary sources, sourced openly, and corrected publicly. No affiliate revenue. No sponsored content. No paid placements.

Editorial standards Editorial process Corrections policy How we make money Editorial team Methodology