Hey Fortuna: I was just contacted by my bank/school/doctor’s office/grandma. They told me that they were hacked, and my information was compromised. What should I do? I should be worried, right?
Oh, darling, welcome to the club! All the cool kids have been compromised. Unfortunately, in today’s world, identity theft and account compromises are not an “if,” but a “when and how bad will it be.” You should take action, but don’t be too stressed. This is totally figure-outable.
First things first: if you know that a specific true account of yours was compromised, contact that financial institution’s customer service channels immediately to report the fraud. You should be able to find customer service through your bank’s website or app, and most cards have a customer service number printed on the back.
You may want to close your account and open a new account if a checking or savings account number was compromised. However, you may only need to dispute specific charges made or attempted with your credit or debit card. If so, the bank can cancel your compromised card number and issue you a new one. Your bank’s customer service reps should be able to guide you to the right option for your situation. Ask the bank to place a fraud alert on your customer profile and accounts, in case you were a victim of additional compromises.
The next step is to place a fraud alert on your credit profile at all three credit bureaus. The credit bureaus are data collection companies, and Experian, TransUnion, and Equifax are the big three. These companies gather your credit information and history from financial institutions and public records, and compile it into your credit file. They run this information through an algorithm to assign your credit score. Each company uses a slightly different algorithm for scoring, which is why your score can differ a little bit from bureau to bureau. The credit bureaus make billions of dollars each year by selling this aggregated information back to lenders, who check your credit score and history to see if you qualify for a credit product. They also sell fraud protection and credit monitoring to consumers, but more on that later.
Although the credit bureaus charge for “fraud protection” services, placing a fraud alert is totally free. A fraud alert is a little flag on your account that tells lenders to do some extra investigation before granting a credit request made using your identity. The credit bureau that you notify may notify the other bureaus, but they don’t have to. It doesn’t hurt or cost anything to place an alert with all 3 bureaus, so I’d recommend just doing it yourself ASAP – fraudsters move fast.
There are two other types of free alerts besides the “fraud alert.” If you have filed an identity theft report with the Federal Trade Commission or law enforcement, you can file a seven-year extended fraud alert. If you’re on active military duty, you can also file an active duty alert, which helps protect your identity as well. Both the extended fraud alert and the active duty alert remove you from credit card and insurance offers (for five and two years, respectively.)
Next, I personally recommend freezing your credit report. This is another totally free way to safeguard yourself against having new accounts opened using your identity, even if you haven’t been compromised (yet). Mr. Fortuna and I have both done this preventatively for years. The only downside here is that if someone needs to check your credit in the future, like if you’re opening a new credit card or switching cell service providers, you’ll have to reach out and unfreeze your file at the relevant bureau(s). Ultimately, it’s a minor hassle with major payoff — it’s a lot faster and less annoying to temporarily unfreeze your credit than it is to dispute a fraudulent account.
To save you some Googling, here are the relevant links for both steps:
You can also pay a small monthly fee for varying levels of identity theft protection or credit monitoring services, which may be offered by your bank or credit card provider, an ID theft protection service (the most affordable I’ve seen lately is Zander, but there are a lot of options) or even one of the credit bureaus I mention above.
How do I know if a credit card or loan was already opened using my information?
Your next step is to look at your credit report. If you aren’t using a credit monitoring or ID protection service and/or would like ongoing credit reviews that are free and easy, you can access this information for free through creditkarma.com. (This is not sponsored; they’re just a solid service and it’s nice that it’s free.) Credit Karma will require you to temporarily unfreeze your credit profiles if you decide to go that route.
You can also run your credit report here with at least one, ideally all 3, of the credit bureaus – and you can still run those reports even if you’ve frozen your credit. Historically, you could only get one free credit report per year from each bureau. Because of the COVID-19 pandemic, as of November 2022 the bureaus continue offering free weekly credit reports to consumers.
The last time I used annualcreditreport.com it took less than fifteen minutes to get and review two of my credit reports. (The Equifax report gave me a hard time and said I needed to request a copy by mail.)
Does it hurt my credit to run my credit report with all three? Or because it isn’t a “hard look” it’s okay?
It will not hurt your credit score to check your own credit — checking your own credit is considered a “soft” inquiry (or “soft look” or “soft pull”) because it’s not related to you trying to get a new credit product. Soft inquiries happen pretty often, probably without you even noticing (like when you get prescreened credit card offers in the mail). A “hard” inquiry/look/pull is the type that affects your credit, and happens when you actually apply for a loan or credit card. You can see both soft and hard inquiries when you check your credit report.
How do I find and dispute fraudulent stuff?
When you run your report, you should immediately see if there are any accounts you don’t recognize. Keep in mind that you may need to click through and look closely at the creditor information, original amount, and account dates; debts are bought and sold all the time, and just because you don’t recognize a specific creditor right away doesn’t mean that the debt is necessarily fraudulent.
In this case, make sure you’re cross-checking reported debts with dates, and looking at whether or not payments were made on the account. It’s a rare fraudster that will open a fake credit card using your information and then make a year’s worth of on-time payments (although stranger things have happened).
If you see any items that you don’t recognize, you can file a dispute then and there on the credit reporting or monitoring site to say “that’s not mine.” You’ll want to explain in a little more detail why you believe the information is not yours, because this process ultimately sends a fraud report to the financial institution that holds the disputed account.
You probably also want to contact the financial institution directly — Google “report fraud + <relevant bank’s name>” and you should find the right place to start.
The financial institution will then investigate your claim; they must acknowledge your dispute within 30 days and generally must complete their investigation within 90 days.
The financial institution may contact you to request some additional information. During this process, you will likely be asked to provide copies of anything showing the error, and so it’s helpful to have those at the ready. For example, fraudsters tend to use a different mailing address than their victims to receive fraudulently-opened credit cards; you’ll want to provide personal identification documents and a bill from the appropriate date establishing proof of your true address. If a card or loan was opened online, the bank can use things like IP address information to cross-check it with your true and correct information.
Speaking as a former fraud investigator, there will be lots of signs that an account is bogus, even if it can take a little time to get to the bottom of things. Banks have big margins for fraud built into their financial plans, because it’s that common, and they generally tend to side with the customer/victim. However, fraud investigators are real people with a big caseload, and they probably aren’t as passionate about your situation as you are, so be courteously proactive as you press your case.
After the investigation is concluded, the bank will close the account and remove it from your credit report, including any derogatory information associated with it.
And then I’m done, right?
This is about the point where I’d say “and that’s it! You’re done!” but if you were a victim of extensive fraud, this can be a fairly drawn-out and irritating process with multiple iterations. You have all my empathy. I had one case where the well-off victim deputized her personal assistant to deal with all of the fallout – we should all be so lucky!
Dealing with fraud can be tough. But even if the fraud was fairly limited, if your identity has been compromised, you’re going to need to up your vigilance for a little while. You can pay a company to do it for you, like with the identity theft and fraud protection services I’ve described, but you can also do it yourself for free.
And once again, I cannot overstate the value of putting a completely free preventative security freeze on your credit profiles. Adding a little bit of friction to your occasional interactions with your credit file is a very small price to pay, compared to the stress and frustration of dealing with identity theft. It costs nothing and is incredibly effective in safeguarding your identity, and that combination is hard to find!
This post was inspired by a question from a friend of Fortuna. Your questions make the best content – or at least, it’s my favorite content to create. If you’ve got questions, we would love to hear from you; please contact us, because if you’ve got a question, there’s a really good chance someone else needs to hear the answer too!