Identity Theft Recovery Checklist: What to Do First

Digital Learning Guide Team

Published May 14, 2026 · Last updated May 18, 2026 · 5 min read · Digital Safety

Written by Digital Learning Guide Team · Reviewed by Darsheel Tiwari, Editor-in-Chief, TheDigitalLife · Editorial standards

Editorial note: This guide is researched and reviewed by the TDL Expert Panel using official sources and is updated when policies or facts change. It is general information, not professional advice. Spotted something wrong? Tell us.

This guide explains confirmed identity theft where your information has already been used or you strongly suspect misuse in a practical, USA-focused way. It is written for someone who needs clear next steps, realistic recovery options, official reporting paths, and a way to organize proof. The goal is not to scare you or promise an impossible fix. The goal is to help you act in the right order, avoid common mistakes, preserve evidence, and contact the correct organization quickly. Digital safety problems often become worse when people keep talking to the scammer, delete proof, wait too long to call the bank, or trust a second scammer who claims to recover lost money. Use this article as a step-by-step checklist and verify any account-specific details directly with the relevant bank, company, agency, or platform.

If you are dealing with confirmed identity theft where your information has already been used or you strongly suspect misuse, act quickly but carefully. Stop communicating with any suspicious person or website, save screenshots and transaction details, secure the affected accounts, and contact the organization that can actually investigate the issue. For this topic, the most important early actions are: go to identitytheft.gov and create a recovery plan, save screenshots, letters, statements, and account alerts, and contact affected companies and ask them to close or flag fraudulent accounts. If money was taken or moved, contact the financial company immediately. If personal information was misused, use IdentityTheft.gov and consider credit freezes or fraud alerts. If the incident involved online crime, account takeover, a wire transfer, or cyber-enabled fraud, consider filing an FBI IC3 complaint as well.

The biggest risk is fraudulent accounts, account takeover, tax identity theft, collection activity, medical identity theft, and credit report damage. Do not assume the problem is solved just because one password was changed or one transaction was reported. Many scams are multi-step: the criminal may use one stolen detail to reset another account, open a new account, convince you to share a verification code, or contact you again as a fake recovery agent. A good response includes securing accounts, reporting the event, watching for related misuse, and keeping records until every dispute or claim is closed.

Emergency Action Box

Stop replying to the suspected scammer or unknown caller immediately.

Do not click more links, download files, install apps, or share one-time codes.

Save screenshots, transaction IDs, phone numbers, website URLs, emails, texts, and account alerts before deleting anything.

Change passwords from a trusted device, especially for email, banking, payment apps, and phone carrier accounts.

Contact your bank, card issuer, payment app, insurer, mobile carrier, or platform if money, access, or identity information was involved.

Use IdentityTheft.gov when personal information was used or exposed, and consider FTC ReportFraud or FBI IC3 for scam or internet crime reporting.

Call 911 or local law enforcement if there is immediate danger, threats, stalking, extortion, or physical safety risk.

Confirm what happened and what information or money is at risk.

Secure the most important account first: email, bank, card, phone, or identity records.

Collect proof before websites, messages, or account screens disappear.

Contact the official organization using a verified phone number or website.

File reports with the appropriate official agency when scam, fraud, or identity theft is involved.

Monitor accounts and credit reports for follow-up damage.

SituationRecommended action
Main problemConfirmed identity theft where your information has already been used or you strongly suspect misuse
Biggest riskFraudulent accounts, account takeover, tax identity theft, collection activity, medical identity theft, and credit report damage
Do firstGo to IdentityTheft.gov and create a recovery plan
Proof to saveScreenshots, dates, amounts, URLs, sender details, account alerts, confirmation numbers, and letters.
Who to contactIdentityTheft.gov, affected banks, creditors, insurers, or platforms, Equifax, Experian, and TransUnion
Escalation pathFTC ReportFraud, IdentityTheft.gov, FBI IC3, CFPB, state attorney general, bank regulator, or local police depending on the incident.
What not to doDo not send more money, share verification codes, call random support numbers, or pay recovery scammers.

Understanding Identity Theft

In plain terms, this situation means that someone may have gained access to information, money, documents, account credentials, or identity data that can be used against you. In the case of confirmed identity theft where your information has already been used or you strongly suspect misuse, the damage may show up immediately or weeks later. A fake transaction may appear first. Then a new account may appear. Then a debt collector, tax notice, bank alert, or account recovery email may follow. That is why the response should not be limited to a single phone call. It should be a documented recovery process.

Many digital safety incidents start with social engineering, not advanced hacking. Scammers impersonate banks, government agencies, delivery companies, relatives, employers, payment apps, or customer support. They pressure people to act quickly, hide the situation from others, or verify identity by giving information that a real company would not ask for in that way. The safest response is to slow down, move to official channels, and treat every request for a password, PIN, one-time code, remote access, gift card, crypto transfer, or wire transfer as suspicious until verified.

Warning Signs

  • You are told to act immediately or your account will be closed, arrested, charged, or permanently locked.
  • The person asks for a password, PIN, full Social Security number, one-time passcode, recovery code, or remote access.
  • You are asked to move money to protect it, pay a fee to unlock funds, buy gift cards, send crypto, or use Zelle, Venmo, Cash App, or wire transfer.
  • The website link looks similar to a real company but has extra words, misspellings, unusual endings, or a shortened URL.
  • A caller says not to call the official phone number on your card, statement, or app.
  • A message arrives unexpectedly with an attachment, QR code, delivery problem, tax warning, refund promise, or account security alert.
  • The person claims to be from a bank, law enforcement, the IRS, the FTC, the FBI, or a tech company but pressures you for secrecy.

Immediate First Steps

The first step is to separate real risk from panic. Ask three questions: Did you share information? Did money move? Was an account accessed? If the answer to any of these is yes, treat the incident as urgent. If you only saw a suspicious message but did not click or respond, the response may be lighter, but you should still block and report it. If you clicked, entered information, sent money, downloaded an app, deposited a check, or gave remote access, take immediate protective action.

  • Go to IdentityTheft.gov and create a recovery plan
  • Save screenshots, letters, statements, and account alerts
  • Contact affected companies and ask them to close or flag fraudulent accounts
  • Freeze credit or place a fraud alert if new-account fraud is possible
  • Track all confirmation numbers in a recovery log

When you contact an official company, use the number on the back of your card, the official app, a statement, or the verified website typed manually into the browser. Do not use a phone number from a suspicious text, online ad, social media comment, or pop-up. If the issue involves a bank or credit card account, ask for the fraud or disputes department, not general customer service only. If identity theft is involved, document every call and save every confirmation number.

Full Step-by-Step Recovery Plan

  1. Write down exactly what happened: date, time, website, phone number, email address, amount, account involved, and what information was shared.
  2. Secure the account or document most closely connected to the incident. If the issue involves your email, secure email first because email often controls password resets for other accounts.
  3. Change passwords from a trusted device. Use unique passwords and turn on two-factor authentication. Prefer an authenticator app or hardware key for sensitive accounts when available.
  4. Contact the official organization that owns the account, card, phone number, identity record, or transaction. Ask for a case number and written confirmation.
  5. Save proof in a folder: screenshots, statements, chat logs, payment confirmations, recovery emails, police reports, FTC or IC3 reports, and letters.
  6. If personal data was used or exposed, create or update an IdentityTheft.gov recovery plan and consider freezing credit at Equifax, Experian, and TransUnion.
  7. If money was sent, ask the payment company immediately whether a cancellation, reversal, recall, dispute, or fraud claim is possible. Recovery is not guaranteed, but fast reporting can matter.
  8. Monitor related accounts for at least several months. Watch for new login alerts, statement changes, account openings, rejected tax filings, collection notices, or unfamiliar mail.

Collecting and Organizing Proof

Proof Checklist

  • Screenshots of messages, emails, pop-ups, websites, account alerts, or app screens
  • Sender phone number, email address, username, profile link, or website URL
  • Transaction ID, confirmation number, wire reference, check image, claim number, or case number
  • Bank, card, payment app, phone carrier, DMV, insurer, IRS, or credit bureau letters
  • Dates and times of calls, texts, logins, account changes, and transactions
  • Names of representatives you spoke with and what they told you
  • A copy of your FTC Identity Theft Report or police report if applicable
  • Proof that you disputed the issue, such as certified mail receipts, secure messages, or portal confirmations

Who to Contact and How

The correct first contact depends on the damage. For this topic, the most relevant contacts are: IdentityTheft.gov, affected banks, creditors, insurers, or platforms, Equifax, Experian, and TransUnion, local police if a report is required or you know the suspect, FBI IC3 for internet-enabled crime. Always start with the organization that can stop the immediate harm. If a debit card, ACH transaction, or bank login is involved, call the bank first. If a credit card is involved, call the card issuer. If your phone number is involved, call your mobile carrier. If identity theft is involved, use IdentityTheft.gov. If an online crime caused financial loss, IC3 is often appropriate. If there is immediate danger, contact local emergency services.

When speaking with support, be direct. Say that you are reporting fraud, identity theft, unauthorized access, or unauthorized transactions. Ask what department handles that exact problem. Ask whether the account should be locked, closed, reissued, frozen, or flagged. Ask whether you need to submit a written statement. Ask how long the investigation normally takes and how you will receive updates.

Official Reporting Links

  • IdentityTheft.gov - use when your identity was used or personal information was misused.
  • FTC ReportFraud.gov - use to report scams, fraud, fake companies, and deceptive contacts.
  • FBI IC3 - use for internet-enabled crime, account takeover, wire fraud, cyber fraud, or large online losses.
  • CFPB complaint portal - use when a bank, credit card issuer, credit bureau, debt collector, or financial company does not handle your issue properly.
  • State attorney general or consumer protection office - use for state-level consumer fraud complaints.
  • Local police - use for theft, threats, stolen documents, a known suspect, or when a company asks for a police report.

Practical Recovery Checklists

Account and Device Security Checklist

  • Change passwords for email, banking, payment apps, phone carrier, and any affected platform.
  • Turn on two-factor authentication and save backup codes securely.
  • Sign out of unknown sessions and remove unfamiliar devices or trusted browsers.
  • Check email forwarding rules, recovery email, recovery phone number, and connected apps.
  • Update your phone, browser, and computer operating system.
  • Remove suspicious apps, browser extensions, remote access tools, and configuration profiles.
  • Lock or replace compromised cards and change account PINs where needed.
  • Review recent logins and account changes for signs of wider compromise.

Credit and Identity Protection Steps

If your Social Security number, driver license number, medical insurance number, bank login, phone number, or date of birth was exposed, take identity protection seriously. Consider placing credit freezes with all three nationwide credit reporting companies when new-account fraud is possible. A freeze helps prevent many new credit accounts from being opened until you lift the freeze.

Fraud alerts are different from freezes. A fraud alert tells creditors to take extra steps to verify your identity. According to official consumer guidance, initial fraud alerts last at least one year. A freeze gives stronger control over access to your credit file, while a fraud alert is easier to place because contacting one nationwide credit reporting company should notify the others. Many people use both after confirmed identity theft.

What Not to Do

  • Do not delete messages, emails, call logs, or transaction records before saving proof.
  • Do not keep communicating with the scammer to gather more information if it exposes you to more manipulation.
  • Do not share one-time codes, PINs, passwords, recovery keys, or full account numbers with anyone who contacted you unexpectedly.
  • Do not rely on a phone number from a text, sponsored search result, forum comment, or pop-up.
  • Do not pay a recovery company that guarantees results or asks for crypto, gift cards, or wire payment.
  • Do not ignore mailed notices, collection letters, tax notices, insurance statements, or credit report changes.
  • Do not assume one report fixes everything. You may still need to contact banks, credit bureaus, platforms, insurers, and government agencies separately.

Timeline and Follow-Up

Recovery Timeline

TimeframeKey Actions
First 10 minutesStop communication. Take screenshots. Lock the card/account if possible. Write down the exact time and what happened.
First hourContact the bank, platform, carrier, insurer, or agency that can stop the immediate harm. Change passwords from a safe device. Ask for a case number. Start a proof folder.
Same dayFile FTC, IdentityTheft.gov, IC3, or police reports if appropriate. Review related accounts. Freeze credit or place fraud alerts if personal information was misused.
This weekFollow up on claims. Review credit reports and statements. Replace compromised cards or documents. Watch for recovery scams and additional account alerts.

FAQ

Q: Can I get my money back? A: Possibly, but it depends on payment method, timing, whether the transaction was unauthorized, and the rules of the bank or platform. Report quickly and ask for a written claim or case number.

Q: Should I file a police report? A: File one if there is theft, threats, stolen documents, a known suspect, large loss, or a company asks for it. For identity theft, an FTC Identity Theft Report can also be important documentation.

Q: Should I report to the FTC or FBI IC3? A: Use FTC ReportFraud for scams and deceptive practices. Use IC3 for internet-enabled crime, cyber fraud, account takeover, wire fraud, or online financial loss.

Q: What if I only clicked a link but entered nothing? A: Close the page, do not enter information, clear suspicious downloads if any, and monitor accounts. If you entered credentials or payment details, take stronger action.

Q: Should I freeze my credit? A: Consider it when your Social Security number, date of birth, driver license, or other identity data may be used to open new accounts. You must freeze separately with each nationwide credit reporting company.

Q: How long should I monitor my accounts? A: Monitor closely for at least several months, and longer if Social Security number, tax data, medical information, or bank login details were exposed.

Q: What if the company denies my claim? A: Ask for the denial reason in writing, submit missing proof, escalate to a supervisor or complaint department, and consider CFPB, FTC, IC3, state attorney general, or bank regulator options depending on the issue.

Q: Can I trust a recovery service? A: Be very cautious. No legitimate private service can guarantee recovery of scam losses, and many recovery offers are themselves scams.

Verification note: Digital safety rules and company processes can change. Before taking action on a specific account, verify current procedures directly with the official bank, credit bureau, government agency, insurer, phone carrier, or platform. Avoid unofficial support numbers found in ads, comments, or suspicious messages.

Protecting Your Social Security Number Online How to Spot an

Protecting Your Social Security Number Online How to Spot and Avoid Phishing Scams A Guide to Credit Freezes and Fraud Alerts Securing Your Email Account from Hackers What to Do If Your Bank Account is Hacked

Disclaimer

This guide is for general information only. It is not legal, financial, cybersecurity, tax, medical, or emergency advice. For urgent threats or danger, call 911 or local law enforcement. For financial loss, contact your bank, card issuer, payment app, insurer, carrier, or the relevant official agency as soon as possible. Recovery is not guaranteed, and your rights may depend on facts, timing, account type, payment method, and applicable law.

TDL Expert Panel editorial team for TheDigitalLife

About the TDL Expert Panel

TDL Expert Panel · TheDigitalLife Editorial Team

TDL Expert Panel is the editorial team behind TheDigitalLife. The team researches, reviews, and creates practical guides to help everyday readers make better decisions about home repair costs, refunds, AI tools, digital safety, productivity, and useful online resources. Each guide is written to be clear, useful, and easy to understand.