What to do if your identity has been stolen

I have talked a lot about protecting your identity and using VPNs and password managers to protect your personal data. Even with those precautions, you merely lower the chances of being hacked rather than eliminate it altogether. If your identity is stolen, what should you do?

This page offers a practical guide to identity theft and will cover the signs of ID theft and what to do if you suspect, or know your identity has been stolen.

Signs of identity theft

There are several signs of identity theft that can lead you to believe you may be a victim. Those signs include:

1. Unexplained items appear in bank statements or online store order history.
2. You receive emails confirming purchases you didn’t make.
3. You receive password reset emails you didn’t authorise.
4. Your bank statements or other bills no longer arrive at your home.
5. An application for credit is refused.
6. You are contacted by debt collection agencies or financial organisations about debt you didn’t know you had.

1. Unexplained items appear in bank statements or online store order history

A classic sign of ID theft is the purchase or purchases of items you didn’t buy appearing on your bank statement. If you shop online, you may also notice orders you don’t recognise in your order history or a debit balance when you thought everything was paid off.

2. You receive emails confirming purchases you didn’t make

Hackers will often change the notification email on accounts but that doesn’t always work without confirmation. If you see emails confirming purchases you didn’t make, don’t follow any links or take action with the email itself as it could be phishing.

Instead, log onto your bank or favourite online store separately and look at your statement or order history. If you see orders there you didn’t make, it’s a good sign your ID has been stolen.

3. You receive password reset emails you didn’t authorize

As mentioned above, when hackers steal account information, one of the first actions they will take is to change the email address linked to that account. Many websites will send an alert to the address first to check it is an authorised change. Most will email you after the fact.

If you see one of these emails, your identity has likely been stolen.

4. Your bank statements or other bills no longer arrive at your home

Many banks and utilities now prefer to email your statements or bills as it saves them money helps the environment. If you still get paper bills but they suddenly stop arriving and your bank or utility provider hasn’t gone paperless, they could have been diverted.

Utility bills are often used to prove identity when applying for credit. If yours have been diverted, someone may be trying to access credit in your name.

5. An application for credit is refused

If you buy a new mobile phone contract, want to pay insurance monthly or get a personal loan, the provider will first check your credit report. If there is a lot of activity on your report, such as multiple applications for credit, they may refuse your application.

6. You are contacted by debt collection agencies

If you are contacted out of the blue by lenders or collection agencies over debts you didn’t apply for, this is a definite sign your identity has been stolen. An unpleasant experience but one that can be addressed.

What to do if you are a victim of identity theft

The first rule of identity theft is whatever you do, do it fast. You precise actions depend on what has happened and how your identity was stolen.

1. Perform a full antivirus and malware scan on all your devices.
2. Secure your WiFi and change the wireless password.
3. Inform your bank, credit card company and any utilities and lenders of the theft.
4. Report any lost documents to the relevant authorities.
5. Check with the credit reference agencies and put a hold on your credit file.
6. Report the theft to Action Fraud.
7. Contact CIFAS (UK only).

1. Perform a full antivirus and malware scan on all your devices

There is lots of malware out there designed to harvest your personal information and send it to hackers. Performing a full antivirus scan and malware scan will check your devices for any such program and remove it.

This step should be undertaken regardless of how your identity was stolen. It’s good practice and makes double sure your devices are all clean and free of malware.

This should definitely be your first step as all following steps can be done online and you will want to do that on a ‘clean’ computer.

2. Secure your WiFi and change the wireless password

Unless you know exactly how the hacker or scammer stole your identity, take no chances. If you use WiFi in your home, make sure it uses WPA2 encryption and change the wireless access password. If they have been able to hack into your wireless network to steal data, this should prevent them accessing it again.

We do this next so you can safely contact banks and other interested parties online without the hacker finding out or intercepting your traffic.

3. Inform your bank, credit card company and any utilities and lenders of the theft

Let your bank, credit card company, any lenders and your service providers of the identity theft. They can put a hold or a watch on your accounts to prevent any theft or change of details. Some banks will automatically switch your account number and give you a new card. Others will put a credit hold on them instead.

Work with the organisations to minimise the impact. As long as you were not to blame and took reasonable precautions to protect your data, you will not be held liable for losses.

4. Report any lost documents to the relevant authorities

If you cannot find your passport, driving licence, credit card, chequebook or other official paperwork, inform the authority responsible. They can put a hold on the account in question and either issue a new one or monitor your existing one.

5. Check with the credit reference agencies and put a hold on your credit file

There are three main credit reference agencies in the UK. They are:

• TransUnion, Consumer Services Team, PO Box 491, Leeds LS3 1WZ
• Equifax, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS
• Experian, Customer Support Centre, PO Box 8000, Nottingham, NG80 7WF

Contact each of them, explain the situation and have them put a hold on your file. This will prevent the scammer from applying for any (more) credit in your name. They will also be able to assist you clean up the mess afterwards, including scrubbing your credit report of any fraudulent activity.

You can also request they add a notice of correction password. This means any credit application in your name would require a specific password to authorise. A password only you and the credit reference agencies will know.

Technically you only need to contact one of them and they then contact the other two but you want to control as much of this process as possible and ensure a block is put on your file(s) as quickly as possible. Hence the recommendation to contact all of them yourself.

6. Report the theft to Action Fraud (England, Wales and Ireland only)

Action Fraud is a police organisation that handles cybercrime. They won’t do any investigating as they simply don’t have the resources but they will give you a crime number. You may need this crime number when cleaning up afterwards.

7. Contact CIFAS (UK only)

CIFAS is an organisation dedicated to combating fraud. They have a system called Protective Registration that costs £25 for two years. Organisations signed up to the system will see a flag on your account that requires extra verification in order to release extra credit in your name.

Not all financial institutions are members of CIFAS but there are a lot who are. It’s a worthwhile extra step to protect your credit and might be worth taking depending on how far the scammer got with your identity.

Cleaning up after identity theft

Once you have taken those important steps, now is a good time to check email passwords, bank logins, credit card account logins and anything else that may have been compromised. Use a password manager to generate unique, non-dictionary passwords with as many characters as the website allows. Then let the password manager save them for you.

It might be a good idea to warn your friends and email contacts that your account may have been compromised. That way, if they receive an email supposedly from you, they will be alert to the risk of it being a scam.

Take stock of any losses you have suffered and work with the relevant agencies to address it. As long as you can demonstrate you took reasonable precautions to protect your accounts, you cannot be held liable (in the UK at least). If you can also demonstrate that you took prompt and decisive action when you discovered the ID theft, your defence becomes even stronger.

Most financial institutions are now used to handling identity theft and will not blame you. All anyone is interested in is protecting you and them from loss. Most institutions will have dedicated fraud teams that can help you recover your accounts, prevent financial loss and help you protect yourself better in the future. My advice would be to let them as long as they don’t try to charge you for it!