How to Prevent Identity Theft: A Complete Guide

The Equifax breach happened in 2017. The attackers had access to Equifax's systems from May 13 to July 30 of that year — 78 days of unauthorized access — before the company noticed. By the time it did, the Social Security numbers, birth dates, addresses, driver's license numbers, and credit card information of 147 million Americans had been stolen. That's nearly half the US population.

Here's what's worse: that data is still being used. In 2024, a fraud researcher documented cases of accounts being opened using Equifax breach data — seven years after the breach. The data doesn't expire. Social Security numbers don't change. Birth dates don't change. The 147 million people whose information was stolen in 2017 will carry that exposure for the rest of their lives.

Equifax settled with the FTC in 2019 for $575 million (the maximum payout to individuals was $125, later reduced because more people claimed than the fund anticipated). Equifax's CEO Richard Smith resigned. The company paid $4 billion in total costs related to the breach. The people whose data was stolen got $10.

This is the identity theft landscape: your data has almost certainly already been stolen, from multiple sources, in breaches you had no control over. The breach itself is not where the theft occurs. The theft happens weeks, months, or years later when someone weaponizes that data against a financial institution whose verification systems were designed for convenience rather than adversarial conditions.

The question is not whether your data is out there. It is. The question is how hard you've made it to use against you.

How Identity Theft Actually Works: The Full Attack Chain

Identity thieves don't typically work from a single breach. They aggregate data from multiple sources to build a complete profile. Understanding the assembly process shows you where to intervene.

The Data Aggregation Problem

Consider what a complete identity thief's profile of you might look like after aggregating:

• Equifax breach (2017): Your name, SSN, birth date, address, driver's license number
• Yahoo breach (2013-2014, revealed 2016): Your email address, birth date, security questions and answers (often used across multiple accounts)
• LinkedIn breach (2021): Your professional history, connections, email, phone number
• T-Mobile breach (2021, one of multiple): Your account number, PIN, SSN, driver's license, IMEI
• Data broker records: Your previous addresses, relatives' names and addresses, estimated income, home value, vehicle information

Assembled together, this is enough to pass the knowledge-based authentication (KBA) questions used by banks, utilities, and credit bureaus ("What is your mother's maiden name?" "What street did you grow up on?" "What was your first car?"). These questions assume the answer is known only to you. After the aggregation described above, it is not.

The Three-Phase Identity Theft Attack

Phase 1 — Reconnaissance (often automated): Attackers purchase aggregated breach data from credential markets. In 2024, breach data sells for $0.50-$5 per record on established dark web markets — a bulk purchase of 10,000 records costs a few hundred dollars. The data is run through automated credential stuffing tools to identify which email/password combinations still work on financial sites.

Phase 2 — Account access or new account opening: With working credentials (or sufficient PII for synthetic identity fraud), attackers either take over existing accounts or open new ones. New account fraud at banks and credit card issuers succeeds because their customer acquisition systems are optimized to minimize friction — making it easy to open accounts also makes it easy for fraudsters.

Phase 3 — Monetization: Fraudsters withdraw money, make purchases, sell the access to other criminals, or allow the accounts to age and build credit (synthetic identity fraud) before maxing them out.

The time between Phase 1 and Phase 3 can be days (opportunistic credential stuffing) or years (synthetic identity cultivation). This is why "safe windows" after a breach don't exist.

Attack Vector: Phishing and Vishing

Phishing generates the initial foothold in many identity theft chains, particularly for financial account takeover. Modern phishing is not the crude "Nigerian prince" variety — it is precisely targeted, visually indistinguishable from legitimate communications, and engineered for urgency.

Business Email Compromise (BEC) targeting individuals: An attacker who has gathered your name, bank, and email (trivially assembled from breach data and LinkedIn) sends an email appearing to come from your bank's fraud department. The email reports suspicious activity on your account and provides a link to "verify your identity." The link leads to a pixel-perfect spoofed login page. You enter your credentials. The attacker changes your email and phone number, then drains the account before you receive any alerts.

Vishing (voice phishing): The caller claims to be from your bank's fraud department, the IRS, Social Security Administration, Medicare, or another high-authority organization. They've already verified themselves by telling you information that feels private — your SSN last four digits, your address, your bank account number ending in XXXX. This information came from a breach or data broker. The verification creates false legitimacy. Then they ask for the information they don't have: the full account number, your PIN, a one-time code.

The defining characteristic of both attacks: they create urgency ("Your account will be frozen in 24 hours"), they impersonate authority, and they arrive with enough pre-existing information to feel credible.

Defense: Hang up and call back. If someone claims to be your bank, end the call, find your bank's phone number from their official website or the back of your card, and call that number. No legitimate financial institution or government agency will object to you calling back through official channels.

Attack Vector: SIM Swapping

SIM swapping is targeted identity theft that bypasses SMS-based two-factor authentication. The attacker calls your mobile carrier, impersonates you using PII from breach data and data broker records, and convinces customer service to transfer your phone number to a new SIM card they control.

Once your number is transferred to their SIM, they receive all your text messages — including 2FA codes for your bank, brokerage, email, and cryptocurrency accounts. They then trigger password resets for high-value accounts, intercept the 2FA codes, and take over the accounts before you realize your phone has lost service.

Real case: In January 2021, Michael Terpin filed a lawsuit against AT&T for a SIM swap that cost him $24 million in cryptocurrency. Terpin's number had been swapped twice — the first time resulting in minor losses and AT&T promising additional security measures; the second time (six months later) resulting in the $24 million theft. The jury awarded Terpin $75.8 million in damages in 2023, finding AT&T liable for negligence.

Real case: T-Mobile agreed to a $350 million class action settlement in December 2022 following a 2021 breach that exposed customer data used in SIM swap attacks. The settlement covered approximately 76 million customers.

Defense: Add a carrier account PIN at all carriers you use. Contact your carrier and set a PIN or passcode that must be provided — in person at a store, with photo ID — before any account changes, number porting, or SIM swaps. Then stop using SMS for 2FA on any account where it matters.

Attack Vector: Mail and Physical Document Theft

This vector gets less attention because it's lower-tech, but it generates the initial PII that enables more sophisticated attacks. Pre-approved credit card offers, tax documents (W-2s, 1099s), Explanation of Benefits forms from your health insurer, brokerage statements — all contain sufficient PII to either open new accounts directly or supplement aggregated breach data.

Mailboxes in apartment buildings are trivially compromised — many use decades-old locks with master keys purchasable online. Rural mailboxes on public roads are routinely accessed. Even locked residential mailboxes are not secure against a determined thief with time and a cordless drill.

The USPS Informed Delivery service (available free at informeddelivery.usps.com) provides daily email previews of mail being delivered — allowing you to notice if an expected financial document doesn't arrive. It also alerts you when mail is delivered, so you know when to retrieve it promptly.

Attack Vector: Synthetic Identity Fraud

This is the fastest-growing and hardest-to-detect form of identity theft. The attacker creates a synthetic identity by combining a real SSN (stolen, or purchased from someone whose credit isn't in use — commonly children, elderly individuals, or new immigrants) with a fabricated name and fictitious address.

The synthetic identity is used to apply for credit. Initial applications are rejected (there's no credit history). But the inquiry establishes the identity in the credit bureau system. Over 12-18 months, the synthetic identity builds credit by obtaining secured credit cards, paying them on time, and becoming an authorized user on other accounts. The synthetic identity then "busts out" — maxing every available credit line simultaneously and disappearing.

The victim — the person whose SSN was used — typically discovers the fraud when they apply for credit for the first time (a student loan, first car, apartment application) and find their SSN is associated with an unknown person with extensive credit history and possibly delinquent accounts.

Children are disproportionately targeted because their SSNs won't be checked against a credit report for 18 years. In some documented cases, children discovered upon reaching adulthood that their SSNs were associated with decades of fraudulent credit activity.

Defense: Freeze your credit — including your children's credit — immediately.

Prevention: What Actually Works

Control 1: Freeze Your Credit at All Six Bureaus

A credit freeze (also called a security freeze) prevents any lender from pulling a credit report to underwrite a new account in your name. Even if an attacker has your complete PII — SSN, name, address, birth date — they cannot open new credit accounts because no lender can pull your report.

The freeze is free, reversible (you can lift it temporarily when you're applying for credit), and doesn't affect your existing accounts or credit score. The process is online at each bureau's website.

The six bureaus to freeze:

| Bureau | Website | What They're Used For | |--------|---------|----------------------| | Equifax | equifax.com/personal/credit-report-services/credit-freeze/ | Major credit underwriting | | Experian | experian.com/freeze/center.html | Major credit underwriting | | TransUnion | transunion.com/credit-freeze | Major credit underwriting | | ChexSystems | chexsystems.com | Bank account opening | | LexisNexis Risk Solutions | consumer.risk.lexisnexis.com | Insurance, employment, specialty lenders | | NCTUE (National Consumer Telecom and Utilities Exchange) | ctaconsumer.equifax.com | Utility account opening |

Most people freeze only the three major bureaus. This leaves them vulnerable to new bank account fraud (ChexSystems) and insurance and utility fraud (LexisNexis). Freeze all six.

Keeping your PINs: Each bureau issues a PIN or password for managing your freeze. Store these in your password manager. Losing a freeze PIN isn't the end of the world — bureaus have recovery processes — but it's an annoyance that adds friction to the legitimate credit application process you're already trying to streamline.

Temporary lift for credit applications: Most bureaus offer temporary lift (unfreeze for 24-72 hours, then auto-refreeze) or permanent lift to a specific creditor. When applying for a mortgage, car loan, or apartment that requires a credit check, ask which bureau the lender pulls and lift only that bureau for the duration of the application.

Freezing children's credit: You can freeze a minor child's credit at all three major bureaus. The process requires mailing documentation (proof of parentage, child's SSN, your ID) because online systems are designed for adults. It's tedious. Do it anyway. The 2021 Identity Theft Resource Center report found that children are 51 times more likely to be victims of identity theft than adults. Their clean SSNs are premium inventory for synthetic identity fraud.

Control 2: Monitor Your Credit Reports

A credit freeze prevents new account fraud. Regular monitoring catches fraud that got through (if your freeze wasn't in place when the fraud occurred) and account takeover fraud on existing accounts.

Free federal entitlement: Under federal law (the Fair Credit Reporting Act, as amended), you're entitled to one free credit report per bureau per year through AnnualCreditReport.com — the federally mandated free access point. During and after COVID-19, all three bureaus extended this to weekly free access, which remains in effect as of 2026.

Strategy: Stagger your pulls — one bureau per month, cycling through them repeatedly — to get 12 points of visibility per year rather than three large ones. This gives you maximum early warning.

What to review on each report:

• Accounts you don't recognize (new credit cards, loans, retail accounts)
• Hard inquiries (credit pulls) from lenders you don't recognize
• Addresses you've never lived at
• Employers you've never worked for
• Accounts with incorrect balances, payment history, or status
• Derogatory marks (collections, late payments) on accounts you didn't open

Paid monitoring services: Services like LifeLock ($11.99-$34.99/month), Experian IdentityWorks ($9.99-$29.99/month), and Identity Guard ($8.99-$29.99/month) provide real-time alerts for credit events rather than requiring periodic manual pulls. They're useful if you've already been victimized (the early warning latency improvement matters more after a breach) or if you handle high-value transactions. For most people, free weekly monitoring plus a credit freeze is sufficient.

Control 3: IRS Identity Protection PIN

Tax identity theft is a significant problem that operates on a calendar-year cycle. Attackers file fraudulent tax returns in your name early in the filing season (January-February), claim a refund, receive it, and disappear. When you file your legitimate return, the IRS rejects it because a return for your SSN has already been filed.

The IRS Identity Protection PIN (IP PIN) program is the defense. The IP PIN is a six-digit number that must be included on your federal tax return. Without it, the IRS rejects the return. An attacker who has your SSN but not your current IP PIN cannot file a fraudulent return.

Enroll here: irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

The IP PIN resets annually in January. Once enrolled, you receive your new PIN by mail or online through the IRS portal in December/January. You must include the new PIN on each year's return. The program is free and, as of 2021, available to all US taxpayers (not just confirmed identity theft victims as was originally required).

Critical: Do not share your IP PIN with anyone including tax preparers — give it directly to the software or the form, not as a number you communicate verbally or by email.

Control 4: Harden Your Social Security Number Access

Your SSN is the master key. It's the number that ties your credit file, tax record, healthcare identity, banking identity, and government benefits record together. Protecting it requires active effort because almost every organization will ask for it regardless of whether it's actually required.

The mandatory vs. optional distinction: Organizations that are legally required to collect SSNs: the IRS (for employment tax withholding), Social Security Administration, financial institutions opening accounts subject to the USA PATRIOT Act, and your employer (for payroll tax purposes). Everyone else — doctors' offices, utility companies, educational institutions, insurance companies — asks for it as a matter of habit, not requirement. You can refuse and provide a substitute identifier.

Practice the refusal: "I'd prefer not to provide my SSN unless it's legally required. Can I use a different identifier?" Most organizations will accommodate this. Those that won't are probably using it for purposes beyond their stated purpose.

Your SSN card: Keep it in a fireproof safe at home. Not in your wallet. Never in your wallet. If you need it for a specific appointment (passport application, new job I-9 verification), bring it, use it, and return it the same day.

Don't provide it digitally: Don't email your SSN. Don't text it. Don't enter it on websites you're uncertain about. HTTPS doesn't mean trustworthy — it means the connection is encrypted, not that the server is operated by a legitimate business.

Medical identity: Medical identity theft — someone using your SSN and name to obtain healthcare services — results in fraudulent medical bills, incorrect information in your medical record, and potential incorrect data in your health insurer's records. The defense is reviewing your Explanation of Benefits (EOB) for every claim filed with your insurer. Most insurers provide these online — review them monthly.

Control 5: Password Manager and Credential Hygiene

Credential stuffing is the weaponization of breach databases. When a database of email/password combinations from any breach is available, attackers run automated tools that try those combinations against every financial institution's login page. If you've reused passwords — used the same password at your bank as you did at a forum that got breached — the attacker gets in on the first try.

The scale of the problem: The January 2024 "Mother of All Breaches" (MOAB) aggregate posted to a hacking forum contained 26 billion records from thousands of separate breach sources. Credential stuffing tools can process hundreds of thousands of login attempts per minute. If you've reused a password that appeared in any of those breaches, your accounts using that password are at risk.

The defense: Every account gets a unique, randomly generated password stored in a password manager. If one service is breached, the attacker gets a password that works nowhere else.

Recommended password managers:

| Manager | Price | Notable Features | |---------|-------|-----------------| | Bitwarden | Free / $10/year premium | Open source, independently audited, self-host option | | 1Password | $2.99/month | Strong business features, Travel Mode (hides vaults at borders) | | Dashlane | $4.99/month | Dark web monitoring included, VPN included | | Keeper | $2.91/month | Strong business plan, BreachWatch dark web monitoring |

Password generation settings: 16+ characters, random (not memorable words), all character types. Do not use passphrases for online accounts — save passphrase-based passwords for your password manager master password, device encryption, and other situations where you must remember without assistance.

Master password: The one password you must remember — your password manager master password — should be a diceware passphrase of 6-8 words (approximately 75-100 bits of entropy). This is the one exception to "never use a passphrase." Choose words using actual dice and a diceware word list, not your brain.

Control 6: Multi-Factor Authentication With Correct Priority

MFA stops account takeover even when passwords are compromised. The type of MFA matters significantly.

MFA strength hierarchy:

| Type | Strength | Defeatable By | |------|----------|---------------| | Hardware security key (FIDO2/WebAuthn) | Strongest | Physical theft of the key | | Authenticator app (TOTP) | Strong | Phishing, malware | | SMS/text code | Moderate | SIM swapping, SS7 attacks | | Email code | Moderate | Email account compromise | | Security questions | Weak | Data breach aggregation | | None | Worst | Password alone is sufficient |

SMS is not adequate for high-value accounts. Michael Terpin's $24 million loss happened despite SMS-based MFA. The SIM swap bypassed it trivially. Move financial accounts to authenticator apps or hardware keys.

Hardware security keys: A YubiKey 5 costs $50. A Titan Security Key from Google costs $30. These physical devices plug into USB (or communicate via NFC for phones) and provide phishing-resistant authentication. Even if you enter credentials on a phishing site, the phishing site cannot complete FIDO2 authentication because it isn't the legitimate site's domain. Hardware keys are the only MFA type that is resistant to real-time phishing attacks.

Priority order for MFA deployment:

1. Primary email account — controls password resets for everything else. Hardware key if possible; authenticator app otherwise. SMS only if no other option.
2. Financial accounts (banking, brokerage, crypto) — hardware key or authenticator app. Never SMS only.
3. Authentication providers (Apple ID, Google account) — hardware key or authenticator app. These credentials unlock everything else.
4. Domain registrar and DNS — hardware key. Control of DNS = control of all email and web services on that domain.
5. Password manager — hardware key and/or strong authenticator app.
6. Social media — authenticator app minimum.

Control 7: Secure Your Physical Mail Stream

Opt out of pre-approved credit offers: Visit optoutprescreen.com (the official CFPB-sanctioned opt-out service) to remove yourself from credit bureau marketing lists. The online opt-out lasts 5 years; the mailed form opt-out is permanent. Pre-approved credit offer envelopes are useful phishing material — they contain your name, address, and a plausible pretext for someone to mail a "response" to a fraudulent credit application.

Cross-cut shredder: Strip-cut shredded documents can be reassembled. Cross-cut (confetti) shredded documents cannot. Every document with PII — bank statements, medical bills, insurance documents, utility bills, pre-approved offers, tax documents — goes through the cross-cut shredder before disposal. Documents to shred: anything with your SSN, account numbers, insurance member ID, date of birth, address combined with financial information.

USPS Informed Delivery: Free service at informeddelivery.usps.com. USPS emails you daily photos of the mail being delivered to your address. You know what's coming before it arrives, which alerts you to missing mail (that was intercepted before delivery).

PO Box or Mailbox Receiving Service: If your mailbox is physically insecure — apartment bank of mailboxes, rural roadside mailbox — consider routing sensitive financial mail to a PO Box ($6-$200/year at USPS) or a private mailbox service (UPS Store, FedEx Office). All major financial institutions and the IRS will mail to PO boxes.

Control 8: Data Broker Opt-Out and Remediation

Data brokers are the aggregation layer that makes social engineering attacks credible. Services like Spokeo, WhitePages, BeenVerified, Intelius, Radaris, PeopleFinder, and approximately 200 other companies purchase, aggregate, and sell public records — your name, current and historical addresses, relatives, phone numbers, estimated income, property records, and more.

This data is used by social engineers to preload their calls with "verification" information that makes them seem legitimate ("I have your address as 123 Main Street, is that correct?"). It's also used to build targeted phishing campaigns.

Manual opt-out: Each data broker has an opt-out process. These processes are deliberately tedious — designed to discourage completion — and typically require you to find the opt-out page, provide your name and address (ironically), and sometimes submit a copy of your ID. Major brokers to opt out of manually:

• Spokeo: spokeo.com/opt-out
• WhitePages: whitepages.com/suppression-requests
• PeopleFinder: peoplefinder.com/optout.php
• BeenVerified: beenverified.com/opt-out
• Intelius: intelius.com/opt-out
• Radaris: radaris.com/ng/page/opt-out
• FastPeopleSearch: fastpeoplesearch.com/removal

Manual opt-out from all 200+ data brokers would take approximately 40-60 hours. The opt-outs also expire — brokers re-aggregate your data from public records.

Automated services:

| Service | Price | What It Does | |---------|-------|-------------| | DeleteMe | $129/year | Removes from 40+ major brokers, quarterly re-removal | | Privacy Bee | $197/year | Removal from 250+ brokers, monthly monitoring | | Kanary | $9.99/month | Continuous monitoring and removal | | Incogni | $77.88/year | Sends legal opt-out requests under GDPR/CCPA |

For individuals with elevated risk (executives, attorneys, domestic violence survivors, public figures), these services are worth the cost. For average individuals, manually opting out of the 10-15 most prominent data brokers covers the majority of the risk at no cost.

Control 9: Monitor HaveIBeenPwned

Troy Hunt's HaveIBeenPwned (haveibeenpwned.com) is a free service that indexes breach data and allows you to check whether your email addresses have appeared in known data breaches.

Setup takes three minutes:

1. Visit haveibeenpwned.com
2. Enter your email address — it will show which known breaches contained your email
3. Click "Notify Me" to receive email alerts when future breaches include your address
4. Do this for every email address you use

When a breach includes your address, evaluate: does the breach include passwords? If so, change that password anywhere you used it (ideally you're using unique passwords and only need to change it on that one site). Does it include SSN, payment data, or other sensitive PII? If so, escalate monitoring and watch your credit reports closely.

HIBP indexes approximately 12 billion records across thousands of breaches. The presence of your email in this database doesn't mean your accounts were directly compromised — breach databases are often years old. But it tells you what data criminals have, which tells you what accounts to prioritize securing.

When You've Already Been Hit: Response Framework

Identity theft response has a priority order. Deviating from it costs time.

Immediate Response (First 24 Hours)

Step 1: Freeze your credit at all six bureaus. Do this first. Every minute the freeze is not in place, new fraudulent accounts can be opened. Even if you're in the middle of understanding what happened, freeze the credit first.

Step 2: File a report at IdentityTheft.gov (FTC). This generates a personalized recovery plan, documents the theft with the federal government, and produces pre-populated dispute letters for creditors and bureaus. Required for many downstream steps.

Step 3: Change passwords for compromised accounts — from a clean device (not the device that may have been phished or compromised). Change email first; then financial accounts.

Step 4: Enable 2FA on every account where it wasn't already enabled. The identity thief who just accessed your account is watching for re-access attempts.

Short-Term Response (First Week)

File a police report. Required by some creditors and insurance companies to document fraud. Bring your FTC Identity Theft Report. Request a copy with the report number.

Dispute fraudulent accounts. Using the FTC's dispute letter templates (available at identitytheft.gov), dispute fraudulent accounts with the creditors directly and with each credit bureau.

Under the Fair Credit Reporting Act (15 U.S.C. § 1681c-2), credit bureaus must block fraudulent information from appearing on your credit report once they receive your identity theft documentation. They must do so within 4 business days of receiving:

• Your completed identity theft report (FTC form)
• Proof of your identity
• A copy of the specific information you're disputing

Request extended fraud alert. An extended fraud alert (7 years, for confirmed victims) instructs lenders to take additional verification steps before opening accounts. File with one bureau and it notifies the others. This complements but does not replace the credit freeze.

Notify financial institutions. Alert your bank, credit card companies, and brokerage about the identity theft. Ask them to flag your account for enhanced monitoring and verify that your account profile (email, phone, address) hasn't been modified.

IRS notification. File IRS Form 14039 (Identity Theft Affidavit) to alert the IRS and get your case flagged. Simultaneously enroll in the IP PIN program if you haven't already.

Long-Term Monitoring (Ongoing)

Document everything. Create a chronological log: dates, organizations contacted, representative names, reference numbers, and outcomes. This documentation is essential for insurance claims, legal proceedings, and dispute escalations.

Identity theft resolution averages 200 hours over 6 months according to the Identity Theft Resource Center's annual report. The 200 hours is real — the FTC's recovery guide alone lists 20+ specific steps across multiple agencies and institutions. The documentation log prevents you from starting from zero at each step.

Extended fraud alert renewal or ongoing freeze. A credit freeze is preferable long-term — it's automatic, not just a notification. After the initial incident, keep the freeze in place unless you need credit.

Medical record audit. Contact your health insurer and request a list of claims filed under your policy for the past year. Review for services you didn't receive. Contact providers for any you don't recognize to request records, then dispute with the insurer.

Consider identity theft insurance. Many homeowners and renters policies include identity theft coverage as a rider ($20-$50/year). Standalone identity theft insurance from LifeLock ($11.99-$34.99/month), Zander Insurance ($6.75-$12.90/month), or through your bank covers professional remediation services, legal fees, and lost wages during recovery. The coverage is most valuable for the professional remediation access — having someone make the calls rather than you.

The Realistic Picture

No combination of controls eliminates identity theft risk. Your data is in dozens of breach databases you never chose to be part of. Organizations you trusted (Equifax, T-Mobile, Yahoo) failed to protect it. The market has not adequately punished those failures — Equifax's settlement amounted to approximately $4 per victim.

The prevention controls described here work by making you a harder target than the path of least resistance. Attackers optimize for speed and scale — they run credential stuffing against millions of accounts, and they focus on those where the same password works at multiple sites, where MFA is absent, where credit is unfrozen, where phishing succeeds. Systematically closing those easy paths pushes attacks toward scenarios that require more work per target, which most attackers won't bother with.

The credit freeze is the single highest-impact control. It's free, reversible, and blocks the entire category of new account fraud — the most common and most damaging form. If you do nothing else from this guide, freeze your credit today at all six bureaus listed above.

After that, in rough priority order: enable MFA on email and financial accounts, set up an IP PIN with the IRS, opt out of pre-approved credit offers, and set up HIBP monitoring. These five steps together take approximately three hours and address the highest-probability threats.

The identity theft problem will not be solved by individual protective measures — it requires credit bureaus with actual accountability, financial institutions that prioritize fraud prevention over application convenience, and companies that face meaningful consequences for data breaches. Until those systemic changes happen, the burden falls on individuals to navigate a system that was not designed with their protection as the primary objective.

That's unjust. It's also the current reality. Work with it.