Free Resource — No Signup Required

Your identity was stolen.
Now what?

Every year, roughly 15 million Americans are victims of identity theft. Most have no idea what to do next — or how to make sure it never happens again. This guide was built to fix that. It's free, it's practical, and it's written in plain English. No products to sell, no affiliate links, no agenda.

Work through the checklist at your own pace. Each item explains not just what to do, but why it matters. Start with the Immediate tab if you've just discovered fraud — or use any section as a standalone reference.

✓ Credit Freeze ✓ IRS IP PIN ✓ Passkeys Explained ✓ SIM Swap Defense ✓ Dark Web Monitoring ✓ Ongoing Habits
🔐 lockdownyourid.com

Identity Protection Checklist

Instructional, actionable, and free. Covers everything from immediate fraud response to long-term monitoring habits.
Completion Progress 0 / 0 tasks done
🚨

Immediate Response

Do these within 24–72 hours of discovering the fraud

⚠ Situation Overview

What It Means When the IRS Contacts You

If the IRS notifies you that a return was already filed under your Social Security Number, someone has your SSN and likely other personal data. This is called tax identity theft. The fraudster files early in the season to collect a refund before you file. The IRS will not process your legitimate return until fraud is resolved — a process that can take months. Acting fast limits the damage.

File IRS Form 14039 — Identity Theft Affidavit
Submit this form immediately to alert the IRS that your identity was used fraudulently. You can do this online at irs.gov or by mail. This begins the official resolution process and flags your account.
CRITICAL
File a report with the FTC at IdentityTheft.gov
The FTC's site walks you through a personal recovery plan step-by-step and generates an official Identity Theft Report you'll need for disputing accounts and working with the IRS.
CRITICAL
File a police report with your local department
While police rarely investigate these cases individually, having a police report number strengthens your documentation when disputing fraudulent accounts with creditors and credit bureaus.
HIGH
Request an IRS IP PIN (Identity Protection PIN)
An IP PIN is a 6-digit number the IRS assigns that must be included on your future tax returns. Once enrolled, no return can be filed under your SSN without it. Available at irs.gov/ippin.
CRITICAL
Check your Social Security earnings record
Visit ssa.gov/myaccount to verify no fraudulent wages or employers appear under your SSN. Fraudsters sometimes use stolen SSNs for employment, affecting your benefits and tax situation.
HIGH
Notify your bank and financial institutions
Alert your bank, credit card companies, and any investment accounts that your identity has been compromised. Ask them to flag your accounts for unusual activity and review recent transactions carefully.
HIGH
📊

Credit Freeze & IRS Protection

Lock your credit and shield your tax identity going forward

📘 What Is a Credit Freeze?

Credit Freeze vs. Fraud Alert

A credit freeze (also called a security freeze) restricts access to your credit report entirely. Lenders cannot pull your credit to open new accounts, stopping a fraudster from opening cards or loans in your name. A freeze is free at all three bureaus and can be lifted temporarily when you need to apply for credit yourself.

A fraud alert is weaker — it flags your file and asks lenders to verify your identity before extending credit, but it doesn't block the inquiry. Start with a freeze.

Freeze your credit at Equifax
Go to equifax.com/personal/credit-report-services and place a security freeze. Free. Keep the PIN or login credentials they provide — you'll need them to lift the freeze later.
CRITICAL
Freeze your credit at Experian
Visit experian.com/freeze and place a security freeze. Free. Create an Experian account to manage the freeze online, or call 1-888-397-3742.
CRITICAL
Freeze your credit at TransUnion
Visit transunion.com/credit-freeze. Free. All three bureaus must be frozen independently — freezing one does not freeze the others.
CRITICAL
Freeze your credit at NCTUE and ChexSystems
NCTUE is used by utility companies. ChexSystems is used by banks when opening checking accounts. Freeze both to block fraudulent utility and bank account openings.
HIGH
Pull your free credit reports and review them
Visit annualcreditreport.com for free reports from all three bureaus. Look for accounts you don't recognize, hard inquiries you didn't authorize, and incorrect personal info like addresses or employers.
CRITICAL
Dispute any fraudulent accounts in writing
Use the FTC's Identity Theft Report as supporting documentation. Send dispute letters to both the credit bureau and the creditor. Send via certified mail and keep copies of everything.
HIGH
Create an IRS online account and verify your identity
Create an account at irs.gov/account using ID.me verification. This lets you monitor your tax records, verify what returns have been filed, and manage your IP PIN going forward.
HIGH
🔑

Passwords, Passkeys & Authentication

Upgrade how you authenticate — the right tools make a massive difference

📘 What Is a Password Manager?

Why You Need One Right Now

A password manager is an encrypted vault that generates and stores strong, unique passwords for every site you use. Humans cannot reliably remember dozens of strong passwords — so we reuse them, which is how one breach at a small website becomes a compromise of your email, bank, and everything else. A password manager solves this completely.

Reputable options: 1Password, Bitwarden (open source, free tier), Dashlane. Your device's built-in manager (Apple Keychain, Google Password Manager) is also a solid starting point.

📘 What Is a Passkey?

Passkeys: The Future of Authentication

A passkey is a cryptographic credential that replaces your password entirely. Instead of typing a secret string, your device proves your identity using public-key cryptography — the same math that secures banks and governments. When you set up a passkey, your device creates a key pair: a private key stored securely on your device and a public key sent to the website. To log in, the site sends a challenge, your device signs it with your private key (unlocked by your face, fingerprint, or PIN), and the site verifies the signature. Your private key never leaves your device.

How to use one: When a supported site (Google, Apple, Microsoft, GitHub, PayPal) offers "Create a passkey," accept it. Your device will prompt you for Face ID, Touch ID, or your PIN. Next login, choose "Use passkey" instead of a password.

✓ Advantages
  • Immune to phishing — key is domain-locked
  • No password to steal in a breach
  • Fast login with biometrics
  • Works without cell service
  • Blocks credential stuffing attacks
✗ Limitations
  • Not all websites support them yet
  • Tied to your device — losing it requires a recovery process
  • Syncing across devices requires iCloud/Google/a password manager
  • Learning curve for some users
📘 Two-Factor Authentication (2FA)

2FA Methods Ranked by Security

Two-factor authentication requires a second proof of identity beyond your password. Not all 2FA is equal:

  • Best — Hardware security key (YubiKey): Physical device, phishing-proof, gold standard
  • Excellent — Passkey: Cryptographic, phishing-proof, device-bound
  • Good — Authenticator app (Authy, Google Authenticator): Time-based codes, not phishable via automated attacks
  • Acceptable — SMS text code: Vulnerable to SIM-swapping, but far better than nothing
  • Avoid — Email codes: If your email is compromised, this provides no protection
Secure your email account above everything else
Your email is the master key — most accounts recover through it. Use a strong unique password, enable passkey or 2FA via authenticator app, and review your recovery email and phone number for tampering.
CRITICAL
Set up a dedicated password manager
Install 1Password, Bitwarden, or similar. Migrate your existing accounts to it one by one. Generate a new, unique password for every site during migration.
CRITICAL
Change passwords on all critical accounts immediately
Email, bank, IRS, SSA, healthcare portals, and any account containing financial or personal data. Each new password should be long (16+ characters), random, and unique.
CRITICAL
Enable passkeys on every account that supports them
Check Settings → Security on Google, Apple ID, Microsoft, GitHub, PayPal, and others. Passkeys are more secure than any password and completely resistant to phishing.
HIGH
Enable 2FA on all critical accounts using an authenticator app
Authy or Google Authenticator generate time-based codes. Avoid SMS-only 2FA for critical accounts where possible — it's vulnerable to SIM-swap attacks.
HIGH
Check HaveIBeenPwned.com for your email addresses
This free service shows if your email or password appeared in known data breaches. Any account connected to a breached email+password combination should be treated as compromised.
HIGH
🛡️

Account & Device Security

Harden the accounts and devices that hold your life

⚠ SIM Swapping

What Is a SIM Swap Attack?

A SIM swap is when a fraudster contacts your mobile carrier and tricks them into transferring your phone number to a SIM card the attacker controls. Once they have your number, they receive your SMS verification codes and can use "Forgot Password" to take over your email, then cascade into every account tied to it. Protect yourself by adding a PIN or passcode to your mobile carrier account and requiring it for any number transfers.

Add a SIM lock / account PIN to your mobile carrier
Call or visit your carrier (AT&T, Verizon, T-Mobile) and add a Port Freeze or account PIN. This prevents your number from being transferred without in-person verification with ID.
HIGH
Review all active login sessions on major accounts
Google, Apple, Microsoft, and Facebook all show active devices under Security settings. Remove any session you don't recognize and sign out all other devices as a precaution.
HIGH
Audit third-party app permissions on Google, Apple, and Facebook
Go to Security → Third-party access and revoke any apps you don't recognize or no longer use. These connections can persist even after you stop using an app.
MEDIUM
Enable full-disk encryption on all your devices
iPhone and Android encrypt by default when a passcode is set. On Mac, enable FileVault (System Preferences → Security). On Windows, enable BitLocker (Pro) or Device Encryption (Home).
MEDIUM
Set a strong PIN/passcode on your phone (not 4-digit)
Use a 6-digit PIN minimum, or better, an alphanumeric passcode. A 4-digit PIN has only 10,000 combinations. An alphanumeric passcode is effectively unguessable.
MEDIUM
Keep all devices updated with current OS and app patches
Most real-world attacks exploit known vulnerabilities that are already patched. Keeping software updated is one of the highest-ROI security actions available.
MEDIUM
Opt out of pre-screened credit offers
Visit optoutprescreen.com (official FTC/CFPB resource) to stop credit card and insurance offer mailings. These mailers can be stolen from your mailbox and used to apply for credit in your name.
MEDIUM
👁️

Ongoing Monitoring

Build habits that catch fraud early — the sooner you know, the less damage done

📘 Dark Web Monitoring

What Is the Dark Web and Should You Worry?

The "dark web" refers to parts of the internet not indexed by search engines, accessible via specialized browsers, and often used for buying and selling stolen data. After a breach, your credentials may appear on dark web marketplaces within hours. You likely can't stop your data from being posted there, but monitoring services alert you when it appears so you can change affected passwords before attackers use them.

Free monitoring: Google (one.google.com), Apple (iCloud+ subscribers), and many credit cards include dark web monitoring. Paid services like Identity Guard or LifeLock offer broader SSN monitoring.

Enable dark web monitoring for your email addresses
Google's free dark web report monitors your Gmail address. Apple's iCloud+ includes data breach monitoring. Both send alerts when your info is found in known breach databases.
HIGH
Set up free credit monitoring with all three bureaus
Equifax, Experian, and TransUnion all offer free monitoring tiers. Enable alerts for new accounts, hard inquiries, and address changes. Credit Karma (free) provides continuous cross-bureau monitoring.
HIGH
Enable bank and credit card transaction alerts
Turn on push notifications for every transaction over $0 (or a very low threshold like $1). Real-time alerts mean you catch unauthorized charges within minutes, not months.
HIGH
Schedule a quarterly credit report review
Put a recurring calendar event every 3 months to pull your credit reports from annualcreditreport.com. Stagger the bureaus (one per month) for year-round coverage at no cost.
MEDIUM
Create a Social Security online account at ssa.gov
Creating your own account prevents someone else from creating one first and locking you out. Periodically review your earnings record for unauthorized employment entries.
HIGH
Sign up for USPS Informed Delivery
Informed Delivery (informeddelivery.usps.com) emails you a scan of your mail each morning before it arrives. You'll notice if someone intercepts financial documents or pre-screened offers.
MEDIUM
Shred all financial documents before disposal
Use a cross-cut or micro-cut shredder for bank statements, tax documents, pre-approved credit offers, medical statements, and anything with account numbers or personal details.
MEDIUM

📞 Emergency Contacts

IRS Identity Theft Hotline: 1-800-908-4490 FTC: IdentityTheft.gov Equifax Freeze: 1-800-349-9960 Experian Freeze: 1-888-397-3742 TransUnion Freeze: 1-888-909-8872 SSA: 1-800-772-1213

📋 Key Forms & Sites

IRS Form 14039 (irs.gov) IRS IP PIN (irs.gov/ippin) Free Reports (annualcreditreport.com) Opt Out Mailers (optoutprescreen.com) Breach Check (haveibeenpwned.com)

📊 By the Numbers

US victims per year~15 million
Tax ID fraud cases~1 million/yr
Avg resolution time6–18 months
Avg financial impact~$1,343
Accounts reuse passwords~65%

💡 Quick Wins

  • Credit freeze = best free protection available
  • IRS IP PIN = no return filed without it
  • Passkey = phishing-proof, no password needed
  • Unique passwords = one breach can't cascade
  • Transaction alerts = fraud caught in minutes
lockdownyourid.com  ·  Free public resource  ·  No ads, no signups, no agenda
Last updated: May 2026
Share this with someone who needs it.