Free Resource — No Signup Required

Your identity was stolen.
Now what?

Every year, roughly 15 million Americans are victims of identity theft. Most have no idea what to do next — or how to make sure it never happens again. This guide was built to fix that. It's free, it's practical, and it's written in plain English. No products to sell, no affiliate links, no agenda.

This happened to me. I received notice from the IRS that someone had already filed a tax return using my identity — and I had to figure out what to do entirely on my own. I built this checklist so that anyone else going through this doesn't have to navigate it alone.

Work through the checklist at your own pace. Each item explains not just what to do, but why it matters. Start with the Immediate tab if you've just discovered fraud — or use any section as a standalone reference.

🔐 lockdownyourid.com

Identity Protection Checklist

Instructional, actionable, and free. Covers everything from immediate fraud response to long-term monitoring habits.
Overall Completion 0 / 0 tasks completed
🚨

Immediate Response

Do these within 24–72 hours of discovering the fraud

⚠ Situation Overview

What It Means When the IRS Contacts You

If the IRS notifies you that a return was already filed under your Social Security Number, someone has your SSN and likely other personal data. This is called tax identity theft. The fraudster files early in the season to collect a refund before you file. The IRS will not process your legitimate return until fraud is resolved — a process that can take months. Acting fast limits the damage.

File IRS Form 14039 — Identity Theft Affidavit
CRITICAL
Submit this form immediately to alert the IRS that your identity was used fraudulently. You can file online or by mail. This begins the official resolution process and flags your account. → Download IRS Form 14039
Mark complete
File a report with the FTC at IdentityTheft.gov
CRITICAL
The FTC's site walks you through a personal recovery plan step-by-step and generates an official Identity Theft Report you'll need for disputing accounts and working with the IRS. → Go to IdentityTheft.gov
Mark complete
File a police report with your local department
HIGH
While police rarely investigate these cases individually, having a police report number strengthens your documentation when disputing fraudulent accounts with creditors and credit bureaus.
Mark complete
Create an IRS Online Account, then request your IP PIN
CRITICAL
Step 1 — Create an IRS account: Before requesting an IP PIN, you'll need an IRS online account. Start at irs.gov/account. The IRS uses ID.me for identity verification — create a free ID.me account first and complete their identity check (government ID + a selfie). Once verified, you're linked to your IRS account automatically.

Step 2 — Request your IP PIN: Once logged in, navigate to the IP PIN section. An IP PIN is a 6-digit number that must be included on any tax return filed under your SSN. Without it, the return is rejected — which stops fraudulent filings cold. → Get your IP PIN

Important — PINs change every year: The IRS issues a new IP PIN each January. Log in to your IRS account at the start of each tax season to retrieve your current PIN before filing. Your tax preparer or software will ask for it. Treat it like a password — keep it private.
Mark complete
Check your Social Security earnings record
HIGH
Verify no fraudulent wages or employers appear under your SSN. Fraudsters sometimes use stolen SSNs for employment, which can affect your benefits and tax situation. → View your Social Security account
Mark complete
Notify your bank and financial institutions
HIGH
Alert your bank, credit card companies, and any investment accounts that your identity has been compromised. Ask them to flag your accounts for unusual activity and review recent transactions carefully.
Mark complete
📊

Credit Freeze & IRS Protection

Lock your credit and shield your tax identity going forward

📘 What Is a Credit Freeze?

Credit Freeze vs. Fraud Alert

A credit freeze (also called a security freeze) restricts access to your credit report entirely. Lenders cannot pull your credit to open new accounts, stopping a fraudster from opening cards or loans in your name. A freeze is free at all three bureaus and can be lifted temporarily when you need to apply for credit yourself.

A fraud alert is weaker — it flags your file and asks lenders to verify your identity before extending credit, but it doesn't block the inquiry. Start with a freeze.

Freeze your credit at Equifax
CRITICAL
Place a security freeze — free. Keep the PIN or login credentials they provide; you'll need them to lift the freeze later. → Freeze at Equifax
Mark complete
Freeze your credit at Experian
CRITICAL
Place a security freeze — free. Create an Experian account to manage it online, or call 1-888-397-3742. → Freeze at Experian
Mark complete
Freeze your credit at TransUnion
CRITICAL
Place a security freeze — free. All three bureaus must be frozen independently; freezing one does not freeze the others. → Freeze at TransUnion
Mark complete
Freeze your credit at NCTUE and ChexSystems
HIGH
NCTUE is used by utility companies. ChexSystems is used by banks when opening checking accounts. Freeze both to block fraudulent utility and bank account openings. → ChexSystems freeze
Mark complete
Pull your free credit reports and review them
CRITICAL
Get free reports from all three bureaus. Look for accounts you don't recognize, hard inquiries you didn't authorize, and incorrect personal info like addresses or employers. → AnnualCreditReport.com
Mark complete
Dispute any fraudulent accounts in writing
HIGH
Use your FTC Identity Theft Report as supporting documentation. Send dispute letters to both the credit bureau and the creditor. Send via certified mail and keep copies of everything.
Mark complete
🔑

Passwords, Passkeys & Authentication

Upgrade how you authenticate — the right tools make a massive difference

📘 What Is a Password Manager?

Why You Need One Right Now

A password manager is an encrypted vault that generates and stores strong, unique passwords for every site you use. Humans cannot reliably remember dozens of strong passwords — so we reuse them, which is how one breach at a small website becomes a compromise of your email, bank, and everything else. A password manager solves this completely.

Reputable options: 1Password, Bitwarden (open source, free tier), Dashlane. Your device's built-in manager (Apple Keychain, Google Password Manager) is also a solid starting point.

📘 What Is a Passkey?

Passkeys: The Future of Authentication

A passkey is a cryptographic credential that replaces your password entirely. Instead of typing a secret string, your device proves your identity using public-key cryptography — the same math that secures banks and governments. When you set up a passkey, your device creates a key pair: a private key stored securely on your device and a public key sent to the website. To log in, the site sends a challenge, your device signs it with your private key (unlocked by your face, fingerprint, or PIN), and the site verifies the signature. Your private key never leaves your device.

How to use one: When a supported site (Google, Apple, Microsoft, GitHub, PayPal) offers "Create a passkey," accept it. Your device prompts for Face ID, Touch ID, or your PIN. Next login, choose "Use passkey" instead of a password.

✓ Advantages
  • Immune to phishing — key is domain-locked
  • No password to steal in a breach
  • Fast login with biometrics
  • Works without cell service
  • Blocks credential stuffing attacks
✗ Limitations
  • Not all websites support them yet
  • Tied to your device — losing it requires recovery
  • Syncing across devices requires iCloud/Google/a password manager
  • Learning curve for some users
📘 Two-Factor Authentication (2FA)

2FA Methods Ranked by Security

Two-factor authentication requires a second proof of identity beyond your password. Not all 2FA is equal:

  • Best — Hardware security key (YubiKey): Physical device, phishing-proof, gold standard
  • Excellent — Passkey: Cryptographic, phishing-proof, device-bound
  • Good — Authenticator app (Authy, Google Authenticator): Time-based codes, resistant to automated phishing
  • Acceptable — SMS text code: Vulnerable to SIM-swapping, but far better than nothing
  • Avoid — Email codes: If your email is compromised, this provides no protection
Secure your email account above everything else
CRITICAL
Your email is the master key — most accounts recover through it. Use a strong unique password, enable passkey or 2FA via authenticator app, and review your recovery email and phone number for tampering.
Mark complete
Set up a dedicated password manager
CRITICAL
Install 1Password or Bitwarden. Migrate your existing accounts one by one, generating a new unique password for each during migration.
Mark complete
Change passwords on all critical accounts immediately
CRITICAL
Email, bank, IRS, SSA, healthcare portals, and any account containing financial or personal data. Each new password should be long (16+ characters), random, and unique.
Mark complete
Enable passkeys on every account that supports them
HIGH
Check Settings → Security on Google, Apple ID, Microsoft, GitHub, PayPal, and others. Passkeys are more secure than any password and completely resistant to phishing.
Mark complete
Enable 2FA on all critical accounts using an authenticator app
HIGH
Authy or Google Authenticator generate time-based codes. Avoid SMS-only 2FA for critical accounts — it's vulnerable to SIM-swap attacks.
Mark complete
Check HaveIBeenPwned.com for your email addresses
HIGH
This free service shows if your email or password appeared in known data breaches. Any account connected to a breached combination should be treated as compromised. → Check HaveIBeenPwned
Mark complete
🛡️

Account & Device Security

Harden the accounts and devices that hold your life

⚠ SIM Swapping

What Is a SIM Swap Attack?

A SIM swap is when a fraudster contacts your mobile carrier and tricks them into transferring your phone number to a SIM card the attacker controls. Once they have your number, they receive your SMS verification codes and can use "Forgot Password" to take over your email, then cascade into every account tied to it. Protect yourself by adding a PIN or passcode to your carrier account and requiring it for any number transfers.

Add a SIM lock / account PIN to your mobile carrier
HIGH
Call or visit your carrier (AT&T, Verizon, T-Mobile) and add a Port Freeze or account PIN. This prevents your number from being transferred without in-person verification with ID.
Mark complete
Review all active login sessions on major accounts
HIGH
Google, Apple, Microsoft, and Facebook all show active devices under Security settings. Remove any session you don't recognize and sign out all other devices as a precaution.
Mark complete
Audit third-party app permissions on Google, Apple, and Facebook
MEDIUM
Go to Security → Third-party access and revoke any apps you don't recognize or no longer use. These connections persist even after you stop using an app.
Mark complete
Enable full-disk encryption on all your devices
MEDIUM
iPhone and Android encrypt by default when a passcode is set. On Mac, enable FileVault (System Preferences → Security). On Windows, enable BitLocker (Pro) or Device Encryption (Home).
Mark complete
Set a strong PIN/passcode on your phone (not 4-digit)
MEDIUM
Use a 6-digit PIN minimum, or better, an alphanumeric passcode. A 4-digit PIN has only 10,000 combinations. An alphanumeric passcode is effectively unguessable.
Mark complete
Keep all devices updated with current OS and app patches
MEDIUM
Most real-world attacks exploit known vulnerabilities that are already patched. Keeping software updated is one of the highest-ROI security actions available.
Mark complete
Opt out of pre-screened credit offers
MEDIUM
Stop credit card and insurance offer mailings — these can be stolen from your mailbox and used to apply for credit in your name. → OptOutPrescreen.com (official FTC/CFPB resource)
Mark complete
👁️

Ongoing Monitoring

Build habits that catch fraud early — the sooner you know, the less damage done

📘 Dark Web Monitoring

What Is the Dark Web and Should You Worry?

The "dark web" refers to parts of the internet not indexed by search engines, often used for buying and selling stolen data. After a breach, your credentials may appear on dark web marketplaces within hours. You can't stop your data from being posted there, but monitoring services alert you when it appears so you can change affected passwords before attackers use them.

Free monitoring: Google One and Apple iCloud+ both include dark web monitoring. Many credit cards also include it at no cost. Paid services like Identity Guard or LifeLock offer broader SSN monitoring.

Enable dark web monitoring for your email addresses
HIGH
Google's free dark web report monitors your Gmail address. Apple's iCloud+ includes data breach monitoring. Both alert you when your info is found in known breach databases. → Google dark web report
Mark complete
Set up free credit monitoring with all three bureaus
HIGH
Equifax, Experian, and TransUnion all offer free monitoring tiers. Enable alerts for new accounts, hard inquiries, and address changes. Credit Karma (free) provides continuous cross-bureau monitoring.
Mark complete
Enable bank and credit card transaction alerts
HIGH
Turn on push notifications for every transaction over $0 (or a threshold like $1). Real-time alerts mean you catch unauthorized charges within minutes, not months.
Mark complete
Schedule a quarterly credit report review
MEDIUM
Put a recurring calendar event every 3 months to pull your credit reports from AnnualCreditReport.com. Stagger the bureaus (one per month) for year-round coverage at no cost.
Mark complete
Create a Social Security online account at ssa.gov
HIGH
Creating your own account prevents someone else from creating one first and locking you out. Periodically review your earnings record for unauthorized employment entries. → Create your SSA account
Mark complete
Sign up for USPS Informed Delivery
MEDIUM
Informed Delivery emails you a scan of your mail each morning before it arrives. You'll notice immediately if someone intercepts financial documents or pre-screened credit offers. → Sign up for Informed Delivery
Mark complete
Shred all financial documents before disposal
MEDIUM
Use a cross-cut or micro-cut shredder for bank statements, tax documents, pre-approved credit offers, medical statements, and anything with account numbers or personal details.
Mark complete

📞 Emergency Contacts

IRS ID Theft Hotline: 1-800-908-4490 FTC: IdentityTheft.gov Equifax Freeze: 1-800-349-9960 Experian Freeze: 1-888-397-3742 TransUnion Freeze: 1-888-909-8872 SSA: 1-800-772-1213

📋 Key Forms & Sites

IRS Form 14039 IRS IP PIN IRS Online Account FTC IdentityTheft.gov Free Credit Reports Opt Out of Mailers HaveIBeenPwned

📊 By the Numbers

US victims per year~15 million
Tax ID fraud cases~1 million/yr
Avg resolution time6–18 months
Avg financial impact~$1,343
Accounts reuse passwords~65%

💡 Quick Wins

  • Credit freeze = best free protection available
  • IRS IP PIN = no return filed without it
  • Passkey = phishing-proof, no password needed
  • Unique passwords = one breach can't cascade
  • Transaction alerts = fraud caught in minutes
Know someone who needs this? Share it — it's free.
lockdownyourid.com  ·  Free public resource  ·  No ads, no signups, no agenda
Last updated: May 2026
Share this with someone who needs it.