How to Protect Yourself From Identity Theft (2026)
Identity theft affects millions of people every year. The average victim spends 6 months and 200 hours resolving the damage. These 10 habits take under an hour to set up and create meaningful barriers that most identity thieves will simply move past to easier targets.
Quick Answer
The most impactful identity theft prevention steps are: unique passwords for every account (via a password manager), two-factor authentication on email and financial accounts, regular breach checks on your email address, credit monitoring, and being cautious about phishing. Together, these address the majority of identity theft attack vectors.
Identity theft — the scale of the problem
15M
Identity theft victims annually in the US
175K+
Identity fraud cases in UK in 2025
£1,200
Average financial loss per UK victim
200hrs
Average time to resolve identity theft
What Is Identity Theft?
Identity theft occurs when someone uses your personal information — name, date of birth, address, financial details, or government ID numbers — without your consent, typically for financial gain.
The most common forms include opening new credit accounts or loans in your name, making purchases using your existing payment details, filing fraudulent tax returns to claim your refund, and taking over your existing accounts (email, bank, social media) to extract money or information.
Identity theft is not a single event — it is often an ongoing crime that continues until detected. The average gap between the theft and discovery is over a year. By the time victims notice, significant damage has already been done.
10 Habits That Protect Your Identity
Use unique, strong passwords for every account
Setup time: 30 minutes (using a password manager)
Why it matters
Password reuse is the single most common way identity thieves gain access to your accounts. When one service is breached, attackers try the same credentials on banking, email, and shopping sites.
How to do it:
Install a password manager (Bitwarden is free and excellent). Let it generate a unique random password for every account. Your email account is the most critical — change that first.
Enable two-factor authentication on every important account
Setup time: 20 minutes
Why it matters
Even if someone steals your password, 2FA stops them logging in without your phone or security key. Microsoft reports 2FA blocks 99.9% of automated account attacks.
How to do it:
Start with your email account — it controls every other password reset. Download an authenticator app (Google Authenticator, Authy, or Aegis) and enable 2FA in account settings.
Regularly check your email address for data breaches
Setup time: 5 minutes now, then periodically
Why it matters
Your personal data may have been exposed in a breach without your knowledge. Breach databases contain your credentials, and attackers actively use them months or years after the breach.
How to do it:
Run your email address through SafeSearchScan's email breach checker. Check every few months or sign up for automated breach alerts.
Monitor your credit file regularly
Setup time: 10 minutes to set up
Why it matters
Credit monitoring catches new accounts opened in your name — a primary sign of identity theft — often before you notice any direct impact.
How to do it:
In the UK: use ClearScore (free), Experian (free basic), or check your statutory credit report with all three main bureaus. In the US: annualcreditreport.com provides free reports from all three bureaus. Look for accounts you don't recognise, credit enquiries you didn't authorise, or address changes.
Be cautious about what personal information you share online
Setup time: Ongoing habit
Why it matters
Social media oversharing gives identity thieves the building blocks for impersonation. Full name, date of birth, phone number, hometown, mother's maiden name, school names — all common security question answers that unlock accounts.
How to do it:
Audit your social media privacy settings. Limit profile information to what's genuinely necessary. Be particularly careful about date of birth, phone number, and location data.
Shred documents containing personal information before discarding
Setup time: Ongoing habit
Why it matters
"Dumpster diving" — going through rubbish for discarded documents — is a real and surprisingly common identity theft technique, particularly for high-value targets.
How to do it:
Shred bank statements, utility bills, insurance documents, medical bills, and any document containing your name and account numbers. A cross-cut shredder (not strip-cut) is significantly more secure.
Recognise and avoid phishing attempts
Setup time: Learning (20 minutes reading) + ongoing vigilance
Why it matters
Phishing attacks are the leading method of credential theft and personal data harvesting. A single click on the wrong link can expose your login details, credit card numbers, or install keylogging malware.
How to do it:
Check sender email addresses, hover over links before clicking, and never enter credentials via a link in an email — always navigate to the site directly. Check suspicious links with a URL checker.
Use a virtual card number for online shopping
Setup time: 5 minutes
Why it matters
Virtual card numbers are single-use or merchant-locked card numbers that limit fraud exposure. If a site you shopped at is breached, the virtual number is useless to attackers.
How to do it:
Many UK banks and card providers offer virtual card numbers (Revolut, Monzo, and many credit card providers). Privacy.com is popular in the US. Use a virtual number for any site you're not fully confident in.
Secure your post and physical mail
Setup time: 1 hour (once)
Why it matters
Physical mail theft exposes bank statements, utility bills, credit card offers, and other documents that can be used to open accounts in your name or to reset account passwords.
How to do it:
Use a secure letterbox. Consider opting out of pre-approved credit card offers (reduces high-value mail). Use paperless statements where possible. If you move house, set up Royal Mail address redirection (UK) or USPS mail forwarding (US) for at least 12 months.
Consider a credit freeze if you've been affected by a serious breach
Setup time: 30 minutes
Why it matters
A credit freeze prevents any new credit being opened in your name — the most direct protection against new-account identity fraud.
How to do it:
In the UK: CIFAS Protective Registration (£25, lasts 2 years). In the US: free credit freeze available from all three bureaus (Equifax, Experian, TransUnion). You must unfreeze temporarily when applying for credit yourself.
Warning Signs Someone Is Using Your Identity
Identity theft is often silent for months. Watch for these signs:
- You receive bills or collection notices for accounts you didn't open
- Your credit report shows credit applications you didn't make
- Your bank statements show transactions you don't recognise
- You receive a tax notice about income you didn't earn or that your return was already filed
- You are denied credit for no apparent reason
- Medical bills arrive for treatment you didn't receive
- Your postal mail stops arriving (address change fraud)
- You receive notifications about account logins from unfamiliar locations
- Debt collectors call about debts you don't owe
What to Do If You Suspect Identity Theft
- 1
Confirm the theft
Review your credit reports from all three bureaus for accounts you don't recognise. Check your bank and card statements thoroughly.
- 2
Place a fraud alert or credit freeze
Contact one credit bureau (they notify the others) to place a fraud alert. Consider a full credit freeze to prevent new accounts being opened.
- 3
Report to the relevant authorities
UK: report to Action Fraud (0300 123 2040) and CIFAS. US: file a report at identitytheft.gov (FTC). This creates an official record that helps when disputing fraudulent accounts.
- 4
Contact affected companies
Call any bank, lender, or service where fraudulent accounts were opened. Ask to speak to the fraud department specifically. Document all calls (date, name, reference number).
- 5
Secure all your accounts
Change passwords and enable 2FA on email and financial accounts. Check for any accounts using the compromised details.
- 6
Monitor for 12+ months
Identity thieves often wait before using stolen data. Check your credit report quarterly for the next year at minimum.
Start With a Breach Check — It Takes 5 Seconds
Find out if your email address has already appeared in a data breach. This is the fastest way to understand your current exposure.
Get Your Identity Risk Score — Free
See your personal exposure score across breach databases, dark web, and email age signals. Takes 30 seconds.
Get My Risk Score Free →Frequently Asked Questions
What is the most common form of identity theft?
Financial identity theft — using stolen personal information to open credit accounts, take out loans, or make purchases in someone's name — is the most common form. According to the FTC, it accounts for roughly a third of all identity theft reports. New account fraud (where thieves open entirely new accounts) is growing fastest. In the UK, identity fraud affected over 175,000 people in 2025.
How does identity theft typically happen?
The most common sources are: data breaches (companies you have accounts with are hacked and your data is stolen), phishing attacks (you're tricked into entering your details on a fake site), mail theft (physical documents with personal information stolen from your post), social media oversharing (attackers piece together enough personal information from public profiles to impersonate you), and account takeover (your email or other accounts are compromised, giving attackers access to personal data stored there).
How long does it take to resolve identity theft?
The FTC reports the average identity theft victim spends 6 months and 200 hours resolving the aftermath. For serious cases involving fraudulent loans or tax fraud, resolution can take years. This is why prevention is so much more valuable than recovery. The most time-consuming aspect is typically disputing fraudulent accounts with credit bureaus and proving to each individual creditor that the accounts were not opened by you.
Should I use a credit monitoring service?
Free credit monitoring from your bank or from services like Experian, ClearScore (UK), or Credit Karma (US) is worthwhile and catches fraudulent new accounts. Paid services add insurance, resolution support, and wider monitoring (such as dark web scans for your personal data). If you've been in a significant data breach or are in a high-risk profession, paid monitoring may be worth the cost. For most people, free monitoring plus the habits in this guide is sufficient.
Can identity theft happen to children?
Yes — child identity theft is a significant and underdetected crime. Children have clean credit histories and their parents rarely monitor their credit, meaning fraud can go undetected for years until the child applies for their first credit card or loan as an adult. Parents should periodically check if their child has a credit file at all (they shouldn't until they're an adult) and report unexpected credit records immediately.
Related Guides
What to Do After a Data Breach
Step-by-step guide for the next 48 hours
Has Your Email Been Hacked?
Signs of compromise and how to recover
What Is Two-Factor Authentication?
Stops 99% of account hacks
How to Create a Strong Password
Passwords that take centuries to crack
How to Spot a Phishing Email
9 warning signs to check every time
What Is Social Engineering?
6 attack types and how to defend against them