Identity Theft Recovery Checklist: What to Do in the First 24 Hours, 7 Days, and 30 Days

Overview

Identity theft recovery can feel chaotic because the damage often spreads across multiple systems at once: email, bank accounts, credit files, mobile numbers, shopping accounts, tax records, and employer portals. The goal is not to solve every problem immediately. The goal is to contain the breach, preserve evidence, restore access, and monitor for follow-on abuse.

This checklist is organized around three windows:

• First 24 hours: stop active misuse and secure your core accounts.
• First 7 days: document the incident, contact affected institutions, and put formal protections in place.
• First 30 days: replace compromised identifiers, audit your wider digital footprint, and set up ongoing checks.

Use this article if you are dealing with any of the following:

• Unauthorized credit inquiries or new accounts
• Bank, card, or peer-to-peer payment fraud
• Email or phone account takeover
• Tax, benefits, or employment-related misuse of personal data
• Marketplace, shopping, or subscription account abuse
• Loss or theft of identity documents

If you suspect the theft began with a phishing message, fake support contact, or text-based impersonation attempt, it also helps to review related fraud patterns. See How to Verify a Suspicious Email Before You Click Anything, Current Text Scam Trends to Watch: Delivery, Toll, Bank, and Account Alerts, and Phone Number Scam Lookup Guide: How to Check Unknown Calls, Texts, and Voicemails.

The key principle throughout this guide is sequencing. Start with the systems that can lock you out or move money fast: your email, phone number, banking apps, and primary financial accounts. Then expand outward to credit, government records, merchants, and lower-priority logins.

The first 24 hours

In the first day, focus on containment.

1. Secure your primary email account. Change the password from a trusted device, sign out other sessions if possible, and enable multi-factor authentication. Review forwarding rules, recovery email addresses, inbox filters, and app connections.
2. Change passwords for financial and high-risk accounts. Prioritize banking, card accounts, payroll, tax, cloud storage, password manager, mobile carrier, and major shopping accounts. Use unique passwords.
3. Freeze or lock access where available. If your bank or card issuer offers temporary card lock or account alerts, enable them. Consider a credit freeze after identity theft if personal data may be used to open new accounts.
4. Call affected institutions using official contact information. Do not call numbers from suspicious texts or emails. Use the number on the back of your card, the institution's official site, or a statement you already trust.
5. Check recent transactions and login history. Save screenshots of unauthorized charges, password reset emails, login alerts, and any messages from the attacker.
6. Preserve evidence before deleting anything. Keep emails, texts, call logs, transaction IDs, timestamps, and account notices in one incident folder.
7. Scan your device if compromise is possible. If you installed remote access software, opened a malicious attachment, or entered credentials on a suspicious site, treat the device as potentially compromised until reviewed.

If money was sent through a peer-to-peer payment platform, act immediately and report the transfer inside the app and through the provider's official support path. Related reading: Zelle, Cash App, and Peer-to-Peer Payment Scams: A Current Warning Guide.

The first 7 days

During the first week, move from containment to formal recovery.

1. Create a written incident log. Record dates, times, contacts, case numbers, accounts affected, and what changed. This becomes your master timeline.
2. Review your credit reports and dispute unfamiliar activity. Note hard inquiries, new trade lines, address changes, and name variations.
3. Place fraud protections on your credit profile as appropriate. A freeze helps block new account creation using your information. Keep a secure record of how to manage it later.
4. Report the scam or identity theft through relevant channels. File complaints where they are useful for documentation and follow-up. See How to Report a Scam: Where to File Complaints and What Evidence to Save.
5. Contact merchants and service providers tied to misuse. This may include telecom providers, marketplaces, insurers, lenders, payroll platforms, and subscription services.
6. Replace compromised credentials and recovery methods. Update backup email addresses, phone numbers, authenticator settings, security questions, and trusted devices.
7. Check your domain-wide exposure. Search your password manager, browser password store, and email archive for accounts that reuse the same password or recovery email.

This is also the right time to think about how the theft happened. If it began with a fake login page, suspicious store, QR code, or impersonation website, you may want to audit the source of compromise so it does not happen again. See Is This Website a Scam? A 15-Point Site Check You Can Use Before You Buy and QR Code Scams Explained: How to Check a QR Code Before You Scan.

The first 30 days

By the end of the first month, the urgent work should shift into recurring monitoring and cleanup.

1. Replace documents if needed. If a driver's license, passport, Social Security card, insurance card, or employee badge was lost or misused, begin the replacement process through official channels.
2. Audit all major accounts for silent changes. Look for modified shipping addresses, payment methods, saved devices, recovery contacts, inbox rules, and API or app authorizations.
3. Set up recurring alerts. Enable transaction alerts, login notifications, password change alerts, and new payee notices where available.
4. Review your tax, payroll, and benefits portals. Attackers often pivot into systems that are checked less frequently than banking apps.
5. Update your household or business response plan. If the incident exposed weak spots such as shared passwords, lack of MFA, or unverified support calls, fix the process, not just the symptom.
6. Watch for delayed fraud. Identity data may be stored and misused later. Continued monitoring matters even after immediate charges stop.

What to track

A recovery checklist is most useful when it doubles as a tracker. Instead of relying on memory, create a single document or spreadsheet and update it as you go. The following variables are worth monitoring because they reveal whether the theft is contained, spreading, or resurfacing.

1. Core account control

• Primary email secured
• MFA enabled and tested
• Recovery email and phone updated
• Unknown devices removed
• Inbox forwarding or filters reviewed

If your email remains unstable, everything else stays at risk. Many account takeover recovery failures happen because a victim changes passwords on secondary accounts while the attacker still controls email resets.

2. Financial exposure

• Unauthorized transactions found
• Cards locked or replaced
• Bank disputes opened
• Peer-to-peer transfers reported
• Billing address or payee changes reversed

Track not just confirmed fraud, but also near misses: failed charges, strange small transactions, or one-time verification messages you did not request.

3. Credit and lending signals

• New inquiries
• New accounts
• Address changes
• Name variations
• Fraud alert or freeze status

These signals help answer a critical question: was the theft limited to existing-account abuse, or is someone trying to establish new credit in your name?

4. Identity document exposure

• Driver's license lost or copied
• Passport exposure
• Insurance ID misuse
• Employee or student ID compromise
• Tax identifier exposure

Document theft may lead to longer-tail problems than password theft. Keep separate notes for each document replacement process and any reference numbers issued.

5. Telecom and SIM-related risk

• Unexpected carrier notices
• Loss of mobile service
• Port-out or SIM change warnings
• MFA codes arriving late or not at all
• New line or device financing activity

Your phone number is often the bridge between identity data and account takeover. Sudden service changes should be treated as high priority.

6. Evidence and case management

• Case numbers from banks or platforms
• Complaint confirmations
• Screenshots saved
• Contact names and dates
• Deadlines for dispute follow-up

This part is easy to neglect but becomes essential if you need to prove a pattern of misuse, escalate a dispute, or revisit unresolved losses weeks later.

7. Root cause and prevention fixes

• Phishing source identified
• Reused passwords eliminated
• Authenticator app set up
• Password manager reviewed
• Household or team security changes documented

The incident is only partly resolved if you restore access but leave the original weakness in place.

Cadence and checkpoints

Recovery is easier when you stop treating it as a one-time event. Use fixed checkpoints so you can tell whether things are improving or merely going quiet.

Daily for the first week

• Review bank and card activity
• Check email login alerts and password reset messages
• Confirm you still control MFA methods
• Monitor mobile carrier service and security messages
• Update your incident log after every support call

These checks are short but high value. They catch attackers who attempt a second pass after noticing you changed credentials.

Twice weekly for the rest of the first month

• Review key account settings for silent changes
• Check dispute progress and replacement card status
• Monitor major merchant accounts for address or order changes
• Review credit-related notifications
• Follow up on any unresolved complaint or case number

This is where many people stop too early. Some fraud shows up only after replacement credentials are issued or after an attacker tests whether monitoring has relaxed.

Monthly after the first month

• Review core account security settings
• Check credit-related changes
• Reconfirm alerts are still enabled
• Audit password reuse and new account sprawl
• Verify no stale recovery methods were reintroduced

A monthly review is a good long-term default for anyone who has experienced identity theft once. It turns a stressful event into a manageable monitoring routine.

Quarterly for broader cleanup

• Review all important accounts, not just the ones that were hit
• Rotate passwords for the most sensitive systems if appropriate
• Prune old apps and connected services
• Reassess document storage and mailbox security
• Update family or team procedures for fraud response

This quarterly check is particularly useful for technical professionals who manage many services, developer tools, cloud consoles, and payment-linked subscriptions.

How to interpret changes

Not every alert means the attack is active, and not every quiet period means it is over. What matters is the pattern.

Signs the situation is stabilizing

• No new unauthorized transactions after credentials were changed
• No additional password reset requests you did not initiate
• Credit files remain unchanged after protections are applied
• Support tickets begin closing with confirmed remediation steps
• Mobile service, MFA, and email remain under your control

These signals suggest your immediate containment steps worked. Keep monitoring, but you can usually shift from crisis mode to scheduled review.

Signs the attacker still has access

• Repeated MFA prompts or reset emails
• Settings keep changing back
• Unknown devices reappear
• Transactions resume after card replacement
• New apps or forwarding rules appear in email or cloud accounts

These are not normal leftovers. They suggest an unresolved foothold, such as email compromise, device malware, stolen session cookies, or continued control of your phone number.

Signs the theft is expanding into new-account fraud

• Unexpected credit inquiries
• Mail, email, or texts about accounts you did not open
• Debt collection notices tied to unfamiliar lenders or services
• Address changes you did not make
• Identity verification failures on legitimate services you already use

This pattern points to broader identity misuse rather than a single compromised account. Your tracking should shift toward credit, document replacement, and formal reporting.

Signs the original compromise came from social engineering

• The event started after a call, text, or email urging immediate action
• You were directed to a lookalike login page
• A support agent contact came from search results, ads, or a message thread
• You scanned a QR code or installed remote access software
• You approved an MFA prompt you did not fully verify

Interpreting the entry point matters because it shapes your prevention plan. If the issue began with a fake support workflow or phishing site, your future defenses should focus on verification habits, not just stronger passwords.

For business contexts, identity misuse may blend into invoice fraud or impersonation. Teams should also review Business Email Compromise Checklist: How to Prevent BEC in Finance and Operations Teams and Fake Invoice Scam Red Flags: How Businesses Can Spot Payment Fraud Early.

When to revisit

This article is most useful when you return to it on a schedule, not only during a crisis. Identity theft often has a delayed second phase, especially when exposed personal data is reused months later. Revisit this checklist in the following situations:

• One week after the incident: confirm urgent steps actually held.
• One month after the incident: check for delayed fraud, silent account changes, and unresolved disputes.
• Quarterly: review your tracker, alerts, credit protections, and account recovery settings.
• Any time you lose a device, wallet, or document: restart the first-24-hours checklist.
• After any phishing or smishing event: even if no loss is obvious, monitor for follow-on abuse.

A practical way to use this guide is to turn it into a personal or household runbook. Keep a secure note with:

• Your high-priority accounts in order of importance
• Official contact paths for banks, carriers, and key providers
• Your preferred evidence storage method
• A monthly review date on your calendar
• A short list of settings to verify every time: MFA, recovery methods, devices, forwarding rules, and payment methods

If you support family members or colleagues, adapt the checklist before an incident happens. Predefined priorities reduce mistakes under stress.

Above all, remember that identity theft recovery is a process, not a single ticket to close. The best outcome is not just restored access. It is a system you can revisit: one that tells you what changed, what still needs attention, and what to do next without guessing. That is what makes an identity theft recovery checklist worth keeping.