Deep Dive
Step-by-step breakdown
Step 1. Unexpected credit inquiries you didn't authorize
Hard inquiries show up on your credit report every time someone applies for credit using your information. If you see inquiries from lenders you never contacted, someone is using your identity to apply for credit. Each unauthorized inquiry can drop your score 5 to 10 points, and they signal that new fraudulent accounts may already be open or pending approval.
Check all three bureau reports because inquiries don't always appear on all of them. Equifax, Experian, and TransUnion each maintain separate records. A thief who applied at multiple lenders could have inquiries scattered across all three. Review your reports weekly through AnnualCreditReport.com and set up monitoring alerts through Credit Club to catch new inquiries within 24 hours.
When you spot an unauthorized inquiry, file a fraud alert immediately with all three bureaus. Under the Fair Credit Reporting Act, you only need to contact one bureau, and that bureau must notify the other two. A fraud alert requires creditors to verify your identity before opening new accounts. This is your fastest defensive move.
- Hard inquiries from unknown lenders are the earliest warning sign of identity theft
- Check all three bureau reports because inquiries don't always appear on every report
- File a fraud alert with one bureau, and it automatically applies to all three under FCRA
- Each unauthorized inquiry can lower your score 5 to 10 points
- Weekly report monitoring through AnnualCreditReport.com catches inquiries early
Step 2. Accounts you never opened appearing on your report
Finding accounts you never opened is definitive proof that someone has used your identity. These can include credit cards, personal loans, auto loans, retail store accounts, and even mortgage applications. Thieves often start with easier-to-open retail cards before moving to larger credit lines. By the time you discover the first fraudulent account, there may already be several more in the pipeline.
The damage from fraudulent accounts goes beyond the credit hit. If the thief maxes out the card and never pays, you'll see late payments, collections, and possibly charge-offs on your record. These negative marks can take 7 years to fall off your report. Acting within the first 30 days gives you the best chance of getting everything removed quickly through the identity theft dispute process, which operates on a faster timeline than standard disputes.
File an Identity Theft Report with the FTC at IdentityTheft.gov. This creates an official record that gives you specific rights under FCRA Section 605B, including the right to have fraudulent accounts blocked from your report within 4 business days. Send a copy of the FTC report to each bureau along with your dispute.
- Fraudulent accounts are definitive proof of identity theft, not just a suspicion
- Thieves typically start with easy-to-open retail cards and escalate to larger credit lines
- FCRA Section 605B requires bureaus to block fraudulent accounts within 4 business days when you provide an Identity Theft Report
- Unpaid fraudulent accounts can generate late payments, collections, and charge-offs that last 7 years
- File your FTC Identity Theft Report at IdentityTheft.gov immediately upon discovery
Step 3. Bills and mail stop arriving
A sudden stop in your regular mail, especially bank statements, credit card bills, and explanation of benefits from insurance, is a strong signal that someone filed a change-of-address form with the USPS to redirect your mail. Thieves do this to intercept new credit cards, account statements, and any letters from creditors that might tip you off to the fraud.
Check your mail forwarding status at USPS.com. You can create an Informed Delivery account to see digital previews of incoming mail before it arrives. If mail is being forwarded to an address you don't recognize, contact your local post office and file a report. Mail fraud is a federal crime, and the Postal Inspection Service investigates these cases.
Beyond mail, watch for emails from your bank or credit card company about address changes you didn't make. Many institutions send confirmation emails when contact information is updated. If you get one of these and you didn't request the change, call the institution immediately using the number on the back of your card or on their official website.
- Mail redirect via fraudulent USPS change-of-address forms is a common identity theft tactic
- Create an Informed Delivery account at USPS.com to preview incoming mail digitally
- Mail fraud is a federal crime investigated by the U.S. Postal Inspection Service
- Watch for unsolicited address-change confirmations from banks and creditors
- Contact institutions immediately using numbers from your physical card, not from any email you received
Step 4. Collection calls for debts you don't recognize
Receiving calls from collection agencies about debts you never incurred is a late-stage warning sign. By the time a fraudulent debt reaches collections, the thief opened the account, maxed it out, and the original creditor gave up trying to collect. The debt has been sold to a collector, and now they're coming after you because the account was opened with your personal information.
Don't ignore these calls and don't agree to pay anything. Under the Fair Debt Collection Practices Act (FDCPA), you have the right to request written verification of the debt within 30 days of first contact. Send a debt validation letter via certified mail. The collector must provide the name of the original creditor, the amount owed, and proof that you're actually responsible for the debt. If the debt is fraudulent, they won't be able to verify it properly.
Document every collection call with the date, time, caller name, company name, and what was said. This documentation is essential if you need to file a complaint with the CFPB or pursue legal action. If you've already filed an FTC Identity Theft Report, send a copy to the collection agency. Under FCRA 615(g), the collector must stop trying to collect a debt you've identified as resulting from identity theft once they receive the report.
- Collection calls about unknown debts indicate late-stage identity theft where accounts were opened and defaulted
- Never agree to pay a debt you don't recognize, as payment can be treated as acknowledging the debt
- Send a debt validation letter via certified mail within 30 days under the FDCPA
- FCRA 615(g) requires collectors to stop collection activity once they receive an Identity Theft Report
- Document every call with date, time, caller name, and details for CFPB complaints or litigation
Step 5. Medical bills for treatments you never received
Medical identity theft happens when someone uses your health insurance information to receive medical care, fill prescriptions, or submit fraudulent insurance claims. It's particularly dangerous because incorrect medical records can lead to wrong treatments if you're ever in an emergency. According to the FTC, medical identity theft accounts for about 10% of all identity theft cases but causes disproportionate harm.
Review your Explanation of Benefits (EOB) statements carefully. Your insurer sends an EOB after every claim, and it lists the provider, date of service, procedures performed, and amounts billed. If you see services you never received, contact your insurer's fraud department immediately. Also request a full accounting of disclosures from your healthcare providers under HIPAA to see who has accessed your medical records.
Correcting medical records is harder than fixing credit reports. There's no equivalent of the 30-day dispute resolution timeline. You'll need to work directly with each healthcare provider to amend records under HIPAA. Request copies of all records in your name to identify which information is yours and which was added by the thief. Keep a personal health record that documents your actual medical history as a reference.
- Medical identity theft can lead to incorrect medical records and dangerous treatment errors
- Review every Explanation of Benefits statement for services you didn't receive
- Request HIPAA accounting of disclosures from healthcare providers to track unauthorized access
- Medical record correction is harder than credit report disputes with no mandated timeline
- Maintain a personal health record documenting your actual medical history as a safeguard
Step 6. IRS notices about duplicate tax returns
If you receive an IRS notice saying a return was already filed with your SSN, a thief used your information to file a fraudulent tax return and collect your refund. Tax identity theft spiked during the pandemic and remains one of the most common forms. The IRS Identity Protection PIN program was expanded nationally in 2021, and getting a PIN is the single best defense against repeat tax identity theft.
File IRS Form 14039, Identity Theft Affidavit, immediately. This alerts the IRS to the fraud and begins the resolution process. You'll also need to file your actual tax return by paper if you can't e-file due to the duplicate. The IRS resolution process typically takes 120 to 180 days, during which any refund you're owed will be held. While frustrating, the IRS will eventually process your legitimate return.
Going forward, apply for an Identity Protection PIN (IP PIN) at IRS.gov. The IP PIN is a unique six-digit number that changes annually and must be included on your tax return for it to be accepted. Without your IP PIN, a thief cannot file using your SSN. This is the most effective preventive measure against tax identity theft and it's completely free.
- IRS notices about duplicate returns mean a thief filed using your SSN to steal your refund
- File IRS Form 14039 (Identity Theft Affidavit) immediately to begin the resolution process
- Paper-file your legitimate return if e-filing is blocked by the fraudulent filing
- IRS resolution takes 120 to 180 days, and your refund will be held during that period
- Apply for a free IP PIN at IRS.gov to prevent future tax identity theft
