Why six layers? Isn't CIFAS enough?

CIFAS Protective Registration covers credit-application fraud (the biggest attack vector). It does not cover: account-takeover via email compromise, SIM-swap attacks defeating SMS-based 2FA, tax-fraud impersonation (HMRC), DWP benefit-fraud impersonation, telephony-channel fraud (159 verification), or recovery-scam targeting. Each layer addresses a different attack class. A scam survivor is targeted across the full attack surface; defence is layered.

For routine consumers — yes, the full stack is overkill. For scam survivors in the 24-month high-risk window — no. CIFAS data confirms scam victims are 5-9x more likely to be targeted for identity-fraud applications within 2 years of the original incident. Sucker-list resale, behavioural-data exploitation, and recovery-scam targeting all converge on known-victim datasets. The stack matches the threat level.

How much does the stack cost?

CIFAS Protective Registration: £25 per 2 years. All other layers are free using consumer-rights tools and standard provider security features. Optional: a paid password-manager subscription (£3-5 per month) makes the email-and-credentials layer significantly easier to maintain. Optional: a paid credit-monitoring subscription adds real-time alerts on top of the free monthly statutory reports.

How long should I maintain the stack?

Full stack for 24 months minimum after the original incident. After 24 months: scale back to the maintenance layers (CIFAS renewal every 2 years, annual credit-file review, password manager + 2FA, ongoing SIM-swap awareness). Some elements are permanently useful (password manager, 2FA, breached-account monitoring) regardless of scam history.

UK Identity Protection Stack 2026

Layer 1 — Credit-application fraud (CIFAS Protective Registration)

Covers the biggest attack vector. CIFAS Protective Registration adds a marker to your credit file so every credit-card, loan, mortgage, or BNPL application made in your name requires additional verification before the lender approves.

Cost: £25 per 2 years
Setup time: 15 minutes
What it stops: 80%+ of credit-application fraud attempts via stolen identity data
Walkthrough: Step-by-step

Layer 2 — Credit-file monitoring

CIFAS protects against application-stage fraud. Credit-file monitoring catches things that slip through.

Free statutory monthly report from each: Experian, Equifax, TransUnion
Free real-time alert tools: Credit Karma (powered by TransUnion), ClearScore (Equifax). Notify of new applications, accounts, hard searches.
Optional paid: £5-15/month for combined-bureau monitoring with daily alerts. Not strictly needed if you do the free monthly check.
Dispute procedure if fraud appears: Dispute templates

Layer 3 — Email and password hygiene

The email address you use for banking + ID verification is the most valuable single credential a criminal can obtain — most account-recovery flows depend on it.

Password manager — 1Password, Bitwarden, NordPass. Unique strong password per account. Free tier of Bitwarden is sufficient for most users.
2FA on email itself — the most important single 2FA. Authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS.
2FA on banking, ISA, pension — same principle.
Have I Been Pwned — register your email at haveibeenpwned.com for free breach-alert emails when your address appears in a new breach.
Email forwarding rules audit — many account-takeover attempts leave a silent forwarding rule so the criminal sees password-reset emails. Check your email rules every quarter.

Layer 4 — SIM-swap and telephony defence

SIM-swap fraud defeats SMS-based 2FA by porting your number to the criminal's device. Mobile carrier setups have improved but it remains a viable attack.

Set a port-out PIN with your mobile carrier — call your carrier and ask for a "port-out PIN" or "account security code". This must be quoted before any SIM-swap or port-out can proceed.
Use authenticator-app 2FA rather than SMS wherever offered.
For high-value accounts (main bank, pension, crypto if applicable): use hardware-key 2FA (YubiKey or similar) where supported. Cost ~£25-50; defeats SIM-swap entirely.
159 verification — call 159 from any UK phone to be connected to your bank's fraud line. Use this to verify any "your bank is calling" contact.

Layer 5 — Document and ID replacement

If a scam involved ID documents (passport, driving licence, full bank statements, council-tax bills, utility bills), consider replacement on a risk-weighted basis.

Passport reissue at gov.uk/renew-adult-passport — £88.50 standard (online). Worth it if you uploaded a passport image to a phishing site.
Driving licence reissue at gov.uk/apply-online-to-replace-a-driving-licence — £20 standard licence. Worth it for confirmed compromise.
Bank cards — already replaced on initial fraud report. Confirm new card numbers + CVV.
National Insurance number — NI numbers can't be changed. Layer-1 (CIFAS) + Layer-2 (HMRC personal tax account monitoring) covers most NI misuse routes.
Notify HMRC at 0300 200 3300 if NI compromised — they can add a security flag to your tax account.
Notify DVLA at 0300 790 6802 if driving licence compromised — they monitor for fraudulent applications under your record.

Layer 6 — Ongoing vigilance routine

Layers 1-5 are setup tasks. Layer 6 is the maintenance routine that keeps the stack active.

Quarterly check (7 points) for 24 months — routine
Annual deep-check for 5 years — same page
CIFAS renewal every 2 years (calendar reminder 30 days before expiry)
Recovery-scam awareness — assume anyone contacting you offering to recover losses is a scam unless you initiated contact via the verified solicitor's published phone number. Recovery scam warning.
Subscribe to ScamSupport Alerts — weekly digest of new UK scam patterns. Subscribe.

Setup sequence — order to do them in

Day 0 — Report Fraud report; bank notification; cards cancelled.
Day 1-3 — Layer 1 (CIFAS) and Layer 3 (password manager + 2FA on email).
Week 1 — Layer 2 (credit-file pull and review), Layer 4 (SIM port-out PIN).
Week 2 — Layer 5 (any ID replacement needed) + Layer 6 calendar reminders set.
Quarterly + ongoing — maintain Layer 6 routine.

UK identity protection stack