Identity theft recovery feels like an administrative nightmare. It is, a little. But the federal government has done meaningful work to turn it into a process you can actually follow. identitytheft.gov, operated by the FTC, is genuinely useful — it generates personalized recovery plans and the letters you need to send. Start there.

This is the sequence I walk people through.

Step 1: Document Everything

Before you call anyone, open a recovery folder:

  • A chronological log: date, time, who you spoke to, reference number, outcome. Every call.
  • Scanned copies of all correspondence.
  • A list of every account and entity potentially affected.
  • Your FTC Identity Theft Report (produced by identitytheft.gov — this is the foundational document).

Recovery can take months. Future you will thank present you for the log.

Step 2: The FTC Report and a Police Report

Go to identitytheft.gov, create a report, and download the FTC Identity Theft Report. This is a federal record that serves as the basis for most downstream disputes.

Then file a local police report. Bring your FTC report with you. Many states require a police report before bureaus will permanently block fraudulent accounts from your credit file. Some police departments push back on taking cyber-related reports — be polite, be persistent, and cite 15 U.S.C. § 1681c-2 (the Fair Credit Reporting Act block provision).

Step 3: Contact the Credit Bureaus

Two actions, separate from the freeze (which you should already have in place):

  1. Place an extended fraud alert (7 years) at one bureau — they share to the other two. Requires your Identity Theft Report.
  2. Dispute fraudulent items individually. Each bureau has an online dispute portal. Attach the FTC report and the police report. Under the FCRA, bureaus must investigate within 30 days.

For accounts opened entirely fraudulently, request a block under 15 U.S.C. § 1681c-2 — this is stronger than a dispute. It requires the Identity Theft Report and forces removal.

Step 4: Contact Each Creditor Directly

For each fraudulent account:

  • Call the creditor's fraud department (not general customer service).
  • Tell them the account is fraudulent and ask them to close it with a notation of fraud.
  • Ask for a letter confirming the account is closed, that you are not liable, and that they will correct reporting to the bureaus.
  • Request copies of the application and any transaction records — useful as evidence and to identify patterns.

Send a follow-up letter by certified mail with return receipt. The FTC provides sample letters at identitytheft.gov — use them.

Step 5: Tax-Related Identity Theft — IRS Form 14039

If someone has filed a tax return in your name, or if the IRS has flagged suspicious activity on your account, file Form 14039, Identity Theft Affidavit.

  • Form: irs.gov/pub/irs-pdf/f14039.pdf
  • File electronically through identitytheft.gov, which submits both the FTC report and Form 14039.
  • Mail option: fax or mail to the IRS per form instructions.
  • Request an Identity Protection PIN (IP PIN) at irs.gov/identity-theft-central. The IP PIN is a 6-digit number that must be on your return. Any return without it gets rejected. Massively effective.

The IRS Identity Protection Specialized Unit: 1-800-908-4490.

Step 6: Social Security Administration

The SSA does not generally re-issue SSNs. They will in rare cases of documented, ongoing misuse that you cannot resolve any other way. What they will do more readily:

  • Flag your SSA record for potential misuse. Call 1-800-269-0271 (SSA OIG Fraud Hotline).
  • Review your Social Security Statement at ssa.gov/myaccount for earnings that are not yours (employment identity theft indicator).
  • Block electronic access to your SSA account — request this explicitly if you fear account takeover.

Step 7: Other Places You Probably Need to Check

  • ChexSystems report (1-800-428-9623) — fraudulent bank account openings.
  • LexisNexis full file disclosure (1-866-897-8126) — insurance and background-check underlying data.
  • US Postal Service — if mail forwarding was changed fraudulently, report at uspis.gov or call 1-877-876-2455.
  • DMV — if a driver's license was issued in your name with someone else's photo, your state DMV has a process; the American Association of Motor Vehicle Administrators (aamva.org) can help locate it.
  • Medical records — request an accounting of disclosures under HIPAA from each provider you suspect was affected.

Realistic Timeline

The quick stuff — freezes, fraud alerts, IRS IP PIN — is done in a day. The slow stuff — disputes, creditor responses, IRS investigation if there was a fraudulent refund — can run 6 to 18 months. Stamina matters here. Set a weekly calendar hour to check open items, follow up on anything that has not moved in 30 days, and update your log.

You will not "feel recovered" for a while. But each step in this sequence closes a door the attacker was using. Work the list.